FOI Chapters of the Annual Reports

2023

1. Introduction

Greetings Dear Reader,

In recent years, due to the challenges of the 21st century, a comprehensive renewal of the digital space landed in the focus of data protection regulation. In 2023, there were significant advances to adopt the EU digital regulation package, as a result of which the responsibilities of NAIH also expanded.

One of the elements of outstanding importance of the new regulations is the Data Governance Act or DGA for short. DGA aims for data--centred innovation, i.e. to facil- itate data sharing among strategic areas and branches (such as healthcare, environ- ment protection, energy, finances, public administration, etc.) and EU Member States with a view to exploiting the opportunities in data for the benefit of European citizens and undertakings. As of 1 January 2024, NAIH acts as the “competent authority” ac- cording to DGA. (More detailed information on the new EU digital regulations is avail- able in the chapter “EU digital regulations (current affairs)”.)

Changes can be reported also in national regulation: at its session on 13 December 2023, Parliament adopted the Act on the System of the Use of National Data Assets and Certain Services, whose amendments affecting Act CXII of 2011 on the Right to Informational Self-Determination and the Freedom of Information entered into force on 1 January 2024. Inter alia, the amendment assigned responsibilities and powers for the regular supervision of the implementation of the requirements concerning the transparency and accessibility of data of public interest and data accessible on the grounds of public interest and the related reporting obligation to NAIH. The amend- ment introduces a new reporting obligation, expanded relative to the former scheme, with regard to organs performing public duties, municipalities and business organisa- tions in public ownership to be met by 31 January of each year by providing data on the preceding year (see in greater detail in the chapter on Freedom of information).

The expansion of responsibilities implied changes in personnel: as of the second half of 2023, two vice presidents assist the president in his work: a general vice president in charge of general affairs and an international vice president acting in relation to EU and international affairs.

For the third time since NAIH’s establishment, the spring conference of the European data protection authorities was organised again in Budapest in May 2023, receiving visitors from 39 countries. The goal of the conference convened each year is to pro- mote cooperation and the exchange of good practices among the members of the conference (accredited EU and non-EU data protection supervisory organisations) with a view to the promotion and maintenance of the protection of personal data and privacy in Europe. Based on an idea of Giovanni Buttarelli, a former European Data Protection Supervisor, the novelty of the May conference was that in addition to the close sessions organised for accredited members an open day was also included ac- cessible to the interested public, whose subject matter was the presentation of the role and functions of the data protection officer.

Another important event in 2023 was the ratification of the Data Protection Convention of the Council of Europe (the so-called Convention 108+) by Hungary as the 30^th country. The two objectives of modernisation – while continuing to respect the prin- ciples – were to reflect on the challenges of the digital age and to reinforce the moni- toring mechanism of the Convention. The merit of the 1981 Convention was that this was the first internationally binding document to include the right to the protection of personal data derived from but independent of the right to the protection of privacy and to this date, this is the international data protection legal norm with the broadest territorial scope.

Budapest, 20 February 2024

Dr. habil Attila Péterfalvi Honorary university professor President of the Hungarian National Authority for Data Protection and Freedom of Information

2. Freedom of Information

Based on the provisions of Section 71/D(8) of the Privacy Act entering into force on 1 January 2024, the Authority “annually produces a report as part of its account specified under Section 38(4)(b)” on its monitoring activity regulated in Chapter VI/B of the Privacy Act. In view of the fact that this monitoring activity is closely related to the Authority’s functions and powers related to monitoring and facilitating the enforcement of the right to access data of public interest and data accessible on public interest grounds – some of its elements are inseparably overlapping – the Authority publishes this entire chapter of its annual report as the report required by Section 71/D(8) of the Privacy Act and commends it to the attention of the Reader.

2023 was the year that could be described as a “historical milestone” in the his- tory of the freedom of information in Hungary because it was on 28 February this year that NAIH was authorised to monitory and rectify the performance of spe- cial disclosure obligations newly defined in the Privacy Act with regard to disclo- sure on the Internet in authority procedures for transparency as the Hungarian supervisory organ designated to monitor and facilitate the enforcement of the right to access data of public interest and data accessible on public interest grounds,. This new legal institution requires a new approach from the obligees, as well as from the Authority, which is fundamentally different from that hitherto applied; in addition, it has or may have a positive impact on proactive freedom of information, on the practice of electronic disclosure, as well as on ensuring the accessibility of data of public interest as it directs attention to the requirement and consequences of the even more perfect and more accurate enforcement of the fundamental right.

A substantial increase was observed in all the types of cases, notifications and complaints, affecting the freedom of information, received by the Authority (com- plaint, consultation, the so-called “borderline” authority procedures for data pro- tection) relative to 2022. Interestingly, some 450 litigations for data requests were launched at the courts of first instance in 2023, the Authority conducted 660 investigations concerning the freedom of information in the same period.

There has been a newly evolving trend since the termination of the cost reim- bursement that could be charged on the grounds of the disproportionate use of labour resources: the organs performing public duties concerned by the data re-

quests increasingly refer to the circumstance among the reasons for rejection that they do not process the requested data in the requested format, and they are not obliged to generate them or they do not qualify as controllers. However, for some reason, they do not tell the person requesting the data about the reason for the latter case or whether data have been generated and, if so, from whom they can be requested. Several submissions addressed the mode of meeting the data requests, the operation of the HIKAP/KIKAP portal, the accessibility of the data, their downloading, the use of the opportunity for access exclusively in per- son, the prevention of making notes or copies, the problems related to the ma- chine readability of the data sent and the use of a digital “watermark” on the data issued referring to the person requesting the data.

Parliament adopted a new paragraph of Section 30 of the Privacy Act at its ses- sion of 13 December 2023, which provided for new reasons for rejection for the organs performing public duties, so as of 1 January 2024, the organ is not obliged to issue the requested data of public interest or data accessible on pub- lic interest grounds, if it does not actually process the data or it would necessi- tate the procuring or collecting data that are processed by an organ performing public duties under the direction or supervision of the former. A request may also be denied, if its fulfilment would necessitate the production of new data relative to the data actually held by the body, by comparing the data of public interest or data accessible on public interest grounds. The use of these reasons for rejec- tion is not mandatory and they may not be applied to data requests in progress.

The legislator added a new Section 3/A to Act CXXII of 2009 on the More Economical Operation of Publicly Owned Companies resulting in the restriction of the accessibility of data for reasons of public interest. In the case of foreign in- vestments, if access to

financial,
technical and
business data

in documents related to contracts concluded, the underlying decision support, the conclusion, modification or termination of contracts, or in documents con- cerning the future development, modification or termination of foreign policy or the external economic relations, or in documents generated for the preparation of relevant decisions would jeopardise the pursuit of Hungary’s foreign policy or external economic interests free of undue external influence, or its national secu-

rity interests, compliance with the request to grant access to the data as data of public interest or data accessible on public interest grounds has to be denied as long as the public interest quoted as the basis for denying the request prevails, but at most for 10 years from the date of their generation or the date of signature. This restriction extends to similar data in contracts and documents concluded on the basis of international contracts processed by a business organisation in pub- lic ownership. The minister exercising ownership rights of the business organi- sation or supervising it decides on the accessibility of data based on an opinion developed by balancing the public interest in accessing the data and the public interest in the denial (cogent public interest test), which has to be issued at the latest within fifteen days. The period from requesting the opinion until it is issued or the unsuccessful expiry of the period open for providing the opinion is not in- cluded in the period available for complying with the request to access the data.

3. Data provided by organs performing public duties and statistical data from the Authority’s monito...

3.1.1. Reporting by organs performing public duties

Hungary Recovery and Resilience Plan C9.R26. In order to implement the re- form entitled Improvement of transparency and access to information of public interest (milestones 229 – 233), it is necessary to draft reports on six-month pe- riods for the second half of 2022 and thereafter each year until the first half of 2026.

To meet this commitment, Act CI of 2023 on the system of the utilisation of the national data assets and certain services added a new chapter VI/B. [Section 71/D.] to the Privacy Act, which gave new functions and powers to the Authority (hereinafter: monitoring freedom of information) and linked to this it specified a reporting obligation for organs performing public duties that was expanded rela- tive to the previous requirements set forth in Section 30(3) of the Privacy Act.

Based on the provisions of the law, organs performing public duties, specifically including municipalities and business organisations in public ownership, have to provide data on the preceding years from 2024 by 31 January of each year

on the number of granting and rejecting requests to access data of public interest and data accessible on public interest grounds and the characteristic reasons of rejection,
the average number of days needed to grant the request to access data of public interest and data accessible on public interest grounds, and
the accurate internet accessibility to the location where data of pub- lic interest and data accessible on public interest grounds are published.

Pursuant to Section 30(3) of the Privacy Act, organs performing public duties have to keep records on the requests refused and the reasons for refusing them from then on as before.

In addition to the above, based on Section 71/D of the Privacy Act, the Authority shall have to carry out the following tasks as part of freedom of information moni- toring:

It has to monitor compliance by the obligee organs based on the report- ing. Monitoring by the Authority extends to the examination of the public disclosure of data of public interest and data accessible on public inter- est grounds.
Based on notification, the Authority also conducts separate
The Authority may request data from the monitored organs for its moni- toring; the monitored organs are required to comply with such requests within 8 days from receiving the request.
The Authority may make recommendations to the monitored organs with a view to promoting compliance with the requirements for the transparen- cy of data of public interest and data accessible on public interest grounds and for their accessibility.
The head of the organ affected by the recommendation has to draw up an action plan for the implementation of the necessary measures and trans- mit this plan to the Authority within 15 days from the receipt of the recom-
As part of its public report, the Authority has to draw up a report on the monitoring annually.

In the rather short period available for preparation between the promulgation of the regulation (22 December 2023) and its entry into force (1 January 2024), the Authority took every measure to apply the regulation efficiently and smoothly.

As part of this, the Authority published a smart data sheet for meeting the re- porting obligation through the link at https://naih.hu/adatlap-eves-jelenteshez. In order to inform the largest possible number of organs performing public duties of the reporting obligation, extended relative to the previous requirement, which entered into force on 1 January 2024 and was to be complied with by 31 January 2024, the Authority took action to publish the bulletin in the Hivatalos Értesítő (Official Gazette) and initiated the provision of information to local governments through the Ministry of Public Administration and Rural Development.

Following the preparations, the Authority received reports from altogether 5,895

organs. The reporting obligation applies to the following organ types:

state-owned business organisation, state public authority, state public in- stitution, budgetary organ according to the Act on Public Finances, legal entity according to the register of the State Treasury, public body (state sphere);
local government, body of representatives and its organs, budgetary or- gans founded and supervised by the local government, minority govern- ments and their organs (municipal sphere);
person according to private law performing public duties;
non-profit business organisation in public ownership, state-owned busi- ness organisation performing public duties specified in legal regulation, state-owned business organisation or municipal business organisation operating with a share in state ownership to be kept among national as- sets of outstanding significance for the national economy (business or- ganisation in public ownership);
foundation established out of public assets (public foundation, foundation performing public duties according to the Civil Code, trust foundation, trust foundation of public interest performing public duties);
business organisation in indirect public ownership; and
other organisations performing public duties: water management and forestry management associations, sport unions, higher education, or- ganisation for copyright protection, other organisation performing public duties in the area of the administration of justice (organs performing other public duties).

The following table contains the breakdown of reporting organs by organ type.

Looking back to preceding years, there was a major increase in terms of the re- porting obligation to be complied with in 2023 relative to 2021 and 2022 because of the change in the legal regulation described above as reports were received from 997 organs in 2022 and 1,350 in 2023.

Change_in_the_number_of_organs_supplying_data_on_2022-2023-2024.png

Local governments and minority governments as well as their organs in the mu- nicipal sphere had the largest cardinality.

Besides the 432 local governments and their organs, 15 minority governments submitted reports on 2021; 584 local governments and their organs and 25 mi- nority governments submitted reports on 2022. Reports on 2023 were submit- ted by 2,612 local governments and their organs, 870 budgetary organs founded and supervised by local governments and 301 minority governments and their organs totalling: 3,783 municipal organs.

Based on the regional distribution of reporting organs, Budapest submitted the largest number of reports (660), followed by Pest County (570), with Komárom- Esztergom County coming last (162).

Similarly to the increase in the number of reporting organs, the ratio of requests for data of public interest granted and rejected showed a positive change relative to the data of the preceding years.

In 2022, in the reports on 2021, 3.881 (35%) requests for data of public interest were rejected out of a total of 11,019;
In 2023, with regard to 2022, 3,260 (33%) out of 9,739 data requests were closed with the restriction or exclusion of access to data of public
In 2024, in the reports on 2023, the controller organ performing public du- ties declined to grant access to data of public interest in 6,210 cases (21 %) of the 14,840 data requests involving 30,238 data types.

Change_in_the_ratio_of_requests_for_data_granted_and_rejected.png

The expansion of the content of the reporting, which entered into force on 1 January 2024 showing the number of data requests submitted in the given year and the average number of days spent on meeting the data request, shows a more detailed picture of the practice of organs performing public duties regard- ing the assessment of data requests.

Ratio_request_for_data_categories_granted_and_rejected_in_2023.png

The reasons given by the organs performing public duties for excluding access to data were the following:

Section 27(1) of the Privacy Act - classified data;
Section 27(2)(a) of the Privacy Act - defence interest;
Section 27(2)(b) of the Privacy Act - national security interest;
Section 27(2)(c) of the Privacy Act - prosecution / prevention of criminal acts;
Section 27(2)(d) of the Privacy Act - environmental or nature conserva- tion interest;
Section 27(2)(e) of the Privacy Act - central financial / foreign exchange policy interest;
Section 27(2)(f) of the Privacy Act - foreign affairs interest;
Section 27(2)(g) of the Privacy Act - court or administrative authority pro- cedure in progress;
Section 27(2)(h) of the Privacy Act - right to intellectual property;
trade secret
bank secret
tax secret
other secret
the data to be accessed were not data in the public interest, or data ac- cessible on public interest grounds,
Section 28(3) of the Privacy Act - the person requesting the data failed to clarify the identity of the controller;
Section 29(1)(a) of the Privacy Act - data request was for the same type of data repeated within a year;
Section 29(1)(b) of the Privacy Act - the person requesting the data fails to give his/its name and contact data;
the organ performing public duties to which the data request was submit- ted does not process the data to be accessed;
Section 27(5) of the Privacy Act - the data supports decision-making;
Section 27(6) of the Privacy Act - the data supports additional future de- cision-making,
Section 27(6) of the Privacy Act - access to the data would jeopardise the lawful functioning of the organ performing public duties, or the perfor- mance of its functions and powers without undue external influence, such as, in particular, the free expression of its views while generating the data during the preparatory stage of decision-making;
the applicant failed to pay the charged cost

A case when the person requesting the data withdraws the data request does not qualify as a reason for rejection, but, as part of the practice to issue data, it was included in the reports. As the reports address the practice of a year, in the case of requests for data of public interest submitted in the last days, it may occur that the controller lawfully extends the period open for compliance by an additional 15 days, so it may occur that the submitted data request is not answered by the time the report is completed (submitted but not assessed data request).

The reasons for rejection most frequently quoted in the previous years (2021, 2022) were also quoted in the first place in the 2023 reports. In terms of the use of reasons for rejection, one item differed substantially (17%) from the practice in preceding years: data not processed by the organ to which the data request was submitted.

Data_not_in_the_public_interest_or_data_not_accessible_on_public_interest_grounds.png

The amendment of the law, which entered into force on 1 January 2024, added further information on the data related to fulfilling data requests to the content of the data provided. Such additional information includes the average number of days needed to answer data requests. A substantial number, i.e. 3,711 (63 %) of the reporting organs submitted a “zero” statement, in other words, they did not receive requests for data of public interest in 2023, hence the time spent on an- swering them was also zero.

Of the organs (2,184) which received requests for accessing data of public inter- est, 69% (1,513) answered the request in less than 15 days; for 17% (379) this period was 15 days, and for 13 % (292) this period exceeded 15 days.

3.1.2 Statistical data of the Authority’s freedom of information monitoring activities in 2023

In 2023, the Authority launched 509 cases for freedom of information monitoring to enforce the fundamental right to access data of public interest. The complaints in 96% (483) of the notifications concerned access to data of public interest by way of data requests, while 4% (20) complained against the electronic publica- tion practice of certain organs performing public duties.

The monitoring covered the data access and data issue practices of altogether 426 organs performing public duties, of which the three outstanding groups of or- gans were state public institutions (124, 29%), local governments, bodies of rep- resentative and their organs (125, 29%) and state authorities (111, 26%).

Of the monitored organs, 58% complied with and 42% failed to comply with their reporting obligation according Section 71/D(4) of the Privacy Act

In the case of the three organ groups of large numbers concerned in the moni- toring:

87 (70%) of the state public institutions (124)
53 (48%),of the local governments, bodies of representatives and their organs (125) and
71 (57%) of the state authorities (111) complied with the reporting obliga- tion set forth in Section 75/D(4) of the Privacy Act.

Of the cases of freedom of information monitoring launched in 2023, the Authority issued calls in accordance with Section 56(1) of the Privacy Act in 140 instances, which had to be repeated in 30 cases. In 12 cases, the Authority issued reports according to Section 59 of the Privacy Act and made three recommendations to controllers and the supervisory body of the controllers based on Section 56(3) of the Privacy Act.

4. The Central Information Register of Public Data and the au- thority procedure for transparency of...

Based on Section 37/C of the Privacy Act in force as of 29 November 2022, budgetary organs have to publish some of their financial data in the Central Information Register of Public Data (hereinafter: Platform). As from 1 March 2023, the Authority monitors compliance with this obligation in its authority pro- cedures for transparency based on Sections 63/A and 63/B of the Privacy Act. In view of the fact that the deficiencies of the operation of the Platform and of regular reporting by the organs may jeopardise the payment of EU funds, the

Authority pays particular attention to monitoring compliance with this new obliga- tion and the elimination of infringements.

By 6 February 2024, 1,836 budgetary organs submitted 7,268 reports to the Platform, of which 5,930 reports were made on completed data sheets free of formal errors. The Transparency Authority Division of the Authority in operation from 1 March 2023 monitored 740 organs and launched 109 procedures by 28 June 2023. During the period from 29 June 2023 to 28 December, an additional 312 organs were monitored and 75 authority procedures for transparency were launched. Of the 160 decisions made in authority procedures for transparency, the Authority established infringements in 145 decisions, of these it ordered the budgetary organ to improve or supplement its report in 25 decisions. Fines had to be levied in no more than 4 procedures. The Authority did not levy fines ac- cording to substantive law, because the budgetary organ terminated the infringe- ments in every procedure and in 120 procedures not even an order was needed.

Orders were related to the termination of minor deficiencies; the organs added the greater part of the data concerning missing contracts even without an order. The remaining deficiencies arose from the fact that subsequent performance was not in line with the provisions of the Guidelines5 produced by NAVÜ or was technically erroneous. In these procedures, the clients did not respond to the questions posed in the Authority’s orders. Finally, it was not necessary to levy fines according to substantive law even in these procedures as the clients termi- nated the infringements prior to bringing the decision.

Prior to the due date for submitting the first report, the Authority called the atten- tion of the budgetary organs to the new obligation in several statements. In spite of this, in many cases they failed to submit the reports, because the organs were not aware of the new obligation. Surprisingly, this occurred in the case of a major university [NAIH-6341/2023], and significant central budgetary organs [NAIH- 9470/2024, NAIH-4798-13/2023, NAIH-5084/2023, NAIH-6346/2023,].

The majority of hospitals also failed to produce their reports by May 2023 [NAIH- 5367/2023, NAIH-5365/2024, NAIH-5366/2024, 5297/2023, 5438/2023], so

the Authority requested information from the National Directorate General for Hospitals and published a notice calling the attention of the hospitals to the ob- ligation. As a result, numerous hospitals complied with the reporting obligations on 15 May 2023.

Guidelines for Filling in the Data Sheet, https://kif.gov.hu/adatszolgaltatasok/adatszolgaltatoknak

As reasons for their failure to submit the reports or their deficiencies, the or- gans mentioned administrative errors, lack of human resources or the departure of adept staff members most of the time. It is a frequent problem that although the contract missing from the Platform has already been concluded, it is not en- tered in the organ’s register for a long time, so the data are not provided within the time limit, in violation of the law. In the cases of several organs, there was not only one deficiency that led to the infringement. For instance, a budgetary organ received a letter informing them of the new obligation to publish, but be- cause of data deficiencies in-house and the personal failures causing this, they failed to upload the data. Later, a storage enlargement had to be carried out in the filing system, but they failed to migrate the required contract data from the system into an Excel table and so, they again failed to upload the data. Later, changes in management, changes in personnel concerning hand-over-take-over procedures and the anomalies arising from them led to the subsequent failure to upload. In part, the reason for the anomalies included the lack of clarification of responsibilities, their overlaps and the transformation of the internal information system. Following the authority procedure for transparency, the organ applied the consequences related to personal failure. [NAIH-8974/2023]

The lack or deficiency of performance was frequently due to a misinterpretation of the law. Several organs arrived at the erroneous conclusion that they had to provide data only with respect to contracts in force, or only after the performance of the contract. It follows from the text of Section 37/C of the Privacy Act that the coming into being of a contract already generates an obligation to provide data, the Privacy Act does not link this obligation to the entry into force of the contract. The legislator’s intention was to publish the contracts that were concluded and this was not subject to the condition of the contracts being in force. [NAIH-7042- 8/2023, NAIH-7253/2023]

The actual movement of funds is also not a condition of the reporting obligation. According to the position of an organ acting as a central purchasing authority, the contract in question was not subject to the scope of the obligation to pro- vide data as set forth in Section 37/C of the Privacy Act, because it was a frame- work agreement. The client conducted the procedure to conclude the framework agreement not for its own purpose and not to debit its own funds, but acting as a central purchasing body. In its decision, the Authority expounded that in view of Section 37/C(2)(b), (3)(b) and (4) of the Privacy Act, the obligation to publish on the Platform applies to contracts exceeding a net value of five million forints, and the regulation does not include any provision that only the data of the con-

tracts have to be published on the Platform in relation to which actual movement of funds takes place. According to the Authority’s position, central purchasing bodies are subject to the reporting obligation even though the eventual future payments based on the framework agreements would not take place to debit the client’s budgetary funds. In this case, the client has such wide-ranging authori- sations in the course of the “Individual Procedures” to be conducted on the ba- sis of the framework agreement, which substantially influence the elbowroom of the organisations concluding the individual contracts. According to Section 3(26) of the Public Procurement Act, centralised purchasing means an activity by a central purchasing body pursued permanently for the purpose of placing orders for products and services for resale to contracting authorities as defined in the Public Procurement Act, or entering into supply contracts, service contracts and works contracts or framework agreements for contracting authorities as defined in the Public Procurement Act. The Authority established that the client appeared as contracting authority in 41 cases acting within its responsibilities as central purchasing body, but only in one contract as a contracting party; the Authority deemed that the failure to provide the data was an infringement with regard to this contract. As a result of the procedure, the client published the data related to the contract concerned. [NAIH-5298/2023]

Section 37/C(3)(b)(ba) of the Privacy Act also requires the publication of the val- ue of the contracts subject to the reporting obligation on the Platform. However, the determination of the value of the contracts to be published gave rise to sev- eral questions concerning the interpretation of the law. Section 37/C(4) of the Privacy Act states that as regards periodically recurring contracts concluded for a period exceeding one year, the calculation of value shall be based on the amount of consideration for one year. Several budgetary organs interpreted this provision, as meaning that the part of the total value of a contract calculated for one year has to be shown in the platform as the value of a contract concluded for more than one year. However, according Section 37/C(3)(b)(ba) of the Privacy Act the total net value of the contract has to be published and not the value cal- culated for one year. In Section 37/C(4) of the Privacy Act, “calculation of value” means the operation when the budgetary organ determines whether the value of the contract calculated for one year exceeds five million forints, i.e. whether the contract is subject to the reporting obligation. Always the total net value of the contract has to be shown in the data sheet, even if the contract was concluded for several years. [NAIH-9468/2023]

A government office did not provide data on a contract because, in its interpre- tation, if the commencement of the performance of a contract and the date of

its performance are in two separate financial years, the value of the contract will be half the total value, even though the contract was not concluded for a period longer than a year. The Authority established that the term “concluded for a pe- riod exceeding one year” in Section 37/C(4) of the Privacy Act is not to be under- stood as financial year in view of the fact that the legislator in the next sentence of the same paragraph specifically mentions the term “financial year”. [NAIH- 7650/2023]

Another recurrent problem related to the value of contracts is the deduction of the value of the eventually unused optional parts from the total value of the con- tract. However, the Privacy Act does not contain a provision that the full consid- eration of a concluded contract as set forth in the contract could or should be adjusted in view of the used or unused contract option(s) or the amount(s) actu- ally paid, as the case may be, based on the contract concerned when meeting the obligation to publish on the Platform. [NAIH-8616/2023]

The question whether the own funds of an organ qualify as domestic funds arose both as a question for consultation and in an authority procedure for transparen- cy. Some 92% of the revenues of a client (hospital) was financed by the National Health Insurance Fund of Hungary (financial funds of social security) under the heading B16, Revenues of support for operation from within public finances. The client’s position was that it was under an obligation to publish procurement pro- cedures financed by budgetary funds and EU funds pursuant to the Act on Public Finances, and not the contracts concluded to debit its own budget. The Authority stated that Section 37/C(2) of the Privacy Act specifies three categories for pub- lication: budgetary support, contracts and payments. The obligation to publish is conditional upon their extent exceeding five million forints and that they are im- plemented from national or European Union funds, but not conditional upon be- ing funded from budgetary support. The joint interpretation of the introductory provision, justification and Section 1(1) of Act CLXXXI of 2007 on the transpar- ency on public grants from public funds reveals that funding from the subsystems of general government qualify as domestic funds. Pursuant to Section 6/A(1)(c) of the Act on Public Finances, budgetary revenue estimates and expenditure es- timates in the act on the central budget appear as appropriations for the finan- cial funds of social insurance. Section 6/A(4) of Act on Public Finances requires that the financial funds of social insurance in the course of the operation of the system of social insurance serve to settle the budgetary revenues to be col- lected on behalf of the state and the budgetary expenditures to be performed. Pursuant to Article 39(3) of Hungary’s Fundamental Law, public funds mean the state revenues, expenditures and claims. That means that the client’s operation

is financed by the financial funds of social insurance from budgetary revenues to be collected by the state from within general government, i.e. domestic funds and public funds. So, the Authority declared in its decision that the client’s own budget qualifies as domestic funds, hence the data of the contracts to be imple- mented out of these funds are subject to the scope of the obligation to publish. [NAIH-7661/2023, NAIH-6881/2023]

In many cases, deficient reporting could have been avoided, had the budgetary organ checked the reports that actually appeared on the platform following the submission of its datasheet. It has been a frequent problem that even though an organ shows the currency of the value of the contract/grant/payment, it does not appear in the data sheet published on the platform. In these cases, currency ap- pears as formatting in the .xlsx files set by the budgetary organ not as the three- letter abbreviation specified in the Guidelines entered after the amount. As the currency is a format and not a data entered, it is not included in the database in the course of processing, consequently it cannot be generated in the .pdf docu- ment either. [NAIH-6631/2023]. Not all data sent in appear on the platform de- spite submitting the report, if a line remains empty on the datasheet or the organ modifies the format of the datasheet (e.g. supplements it with additional work- sheets). [NAIH-6473/2023, NAIH-8363/2023]

The Guideline produced by NAVÜ is not only an indispensable instrument for the correct completion of the datasheet, budgetary organs have an obliga- tion to complete their datasheets in accordance with the Guidelines. Section 4 of Government Decree 499/2022 (XII. 8.) on the detailed rules of the Central Information Register of Public Data requires those subject to the obligation to publish on the platform to make sure that they appropriately complete the data- sheet in accordance with the provisions of Section 37/C of the Privacy Act, this Decree and the User’s Rules. According to Section 2(1) of the same decree, the Guidelines constitute part of the User’s Rules. In spite of this, currencies and the data pertaining to the legal basis and the form of the contract are not shown in accordance with the Guidelines.

However, the experience gained in almost a year of authority procedures for transparency it can be established – despite the above deficiencies – that the new obligation of budgetary organs to publish has proved to be an efficient means to increase the transparency in the use of public funds. As a result of the authority procedures for transparency, the use of HUF 324.9 billion in public funds became more transparent on the platform by 27 September 2023.

Many organs provide data for the Platform that have no general publication scheme at all, or they have one, but there are no financial data on them at all. As it is no longer mandatory to republish the data affected by the new obligation on the websites of the organs, the new Platform is increasingly becoming the cen- tral database for the most important financial data. It contains data, which can be found in other public databases, but here public procurement data, grant data and payments can be found collected in a single database for 10 years. It is pos- sible to conduct searches in the database, for instance, we can learn which min- istries concluded contracts with a given contracting party.

As a result of the authority procedures for transparency, budgetary organs re- ported that:

“they built the obligation into their work processes, rules and quality as- surance audits,”
“they renewed their internal processing and commitment processes; their acceleration became necessary, hence to speed up the data entry and uploading processes, they initiated the development of new rules,”
“labour force was regrouped within the organisation in order to be able to comply with their reporting obligations on time in the future,”
“uploading was not carried out because of an internal communication problem, but new procedures were introduced”.

These corrective solutions at organisational level should be underlined not only because they can facilitate the lawful meeting not only of the new obligation, but also of the general obligation to publish.

However, a deficiency of Section 37/C of the Privacy Act is that its scope does not cover all the organs performing public duties and spending public money, but the budgetary organs only, for instance, the new obligation does not apply to municipalities (it does, however, apply to the budgetary organs founded by them, such as the mayor’s offices). [NAIH-6137/2023, NAIH-5558/2023]

5. The most important decisions of the Constitutional Court and of the courts of justice concerning ...

5.1 Constitutional Court decisions

Decision 3/2023 (IV. 17) AB concerning the establishment of unconstitution- ality caused by an omission related to the accessibility of bank secrets that qualify as data of public interest or data accessible on public interest grounds. [NAIH/5942/2022 – providing an opinion]

The petitioner initiated a lawsuit for the issue of data of public interest against Eximbank. The courts sustained the petition and ordered the bank to issue the data. The court of second instance upheld the decision. The Curia repealed the final judgment, changed the verdict of the court of first instance and rejected the petition. According to the position of the petitioner, the bank secret is not an un- conditional impediment to the freedom of information, instead it is a restriction as a trade secret, based on a test regulated by law. The Curia was wrong in ap- plying it as an absolute impediment, whereby it violated the enforcement of the freedom of information. In the course of its proceedings, the Constitutional Court contacted the Nemzeti Adatvédelmi és Információszabadság Hatóság (hereinaf- ter: NAIH). The Authority deemed that “in the case under investigation, based on the identity of the controller (an organ performing public duties) and the activities carried out by it (management of public assets, public funds with a view to the im- plementation of governmental cooperation and economic policy), the provisions of the Privacy Act concerning the issue of data of public interest should apply”. At the same time, “it would create a clear-cut legal situation, if the reference to obli- gations concerning data of public interest – and hence the legal exemption from bank secrets – were to appear among the provisions of the Exim Act”. In its deci- sion, the Constitutional Court established that in the present regulatory environ- ment the bank secret excludes the data of all the clients of Eximbank (even if they are legal entities) without regard to the fundamental right of the freedom of infor- mation in a manner excluding consideration from the public, in spite of the fact that in the context of tied-aid loans, the bank performs public duties as the organ implementing government decisions, in the course of which it manages public funds, which fact is known in advance to the beneficiaries of the loans. Within this category, the constitutional interest in the accessibility of data as a main rule takes precedence over the interests in protecting secrets. However, the accessi- bility of dual nature data, held by Eximbank, i.e. data of public interest(or acces- sible on public interest grounds) covered within the notion of bank secret is not at all ensured in the current regulatory environment: the restriction of accessibil-

ity is total, not tailored to the unconditionally necessary and proportionate extent and there is no possibility for considering whether the data may be issued. The Constitutional Court therefore established that the legislator created a breach of the Fundamental Law by omission, failing to enact guarantee rules enabling the enforcement of the freedom of information with regard to the accessibility of bank secrets qualifying as data of public interest or data accessible on public in- terest grounds held by Eximbank that performs public duties and manages public funds, so the Constitutional Court called upon the Parliament to meet its legisla- tive duties related to this.

Order 3525/2023. (XII. 14.) on the rejection of a constitutional complaint: until the commencement of the performance of the public duties, the request to access data is premature [antecedent: Budapest Court of Appeal Pf. 20.290/2023/6.]

Based on Section 53/A(1) of Act CLXXXV of 2012 on Waste, the contract con- cluded with the state entered into force on 1 July 2023 with the provision that the concession company will be entitled to exercise the concession only “if it obtains the necessary permits and concludes the contracts providing for capacity” by 31 December 2022 at the latest. On 31 January 2023, the petitioner submitted a re- quest for data of public interest to the concession-holder, in which he requested the permit and the one or more contracts providing capacity. The Constitutional Court established that it does not follow from the final court decision approv- ing the rejection of the request as the basis that data related to the preparatory activity in the context of the performance of public duties are not data of pub- lic interest under any circumstance, but that the request to access the data is in fact premature until the commencement of the performance of the public duty. Until the entry into force of the concession contract, essentially a contingent le- gal situation obtains, or if the concession contract does not enter into force for any reason, with regard to the concession-holder (and the concession company founded by it) cannot be said to be performing public duties and so there are no data of public interest in view of Section 3(5) of the Privacy Act. Based on all this, not even a doubt concerning unconstitutionality influencing the court’s decision in merit arose, hence the Constitutional Court rejected the complaint. [See also Budapest Court of Appeal Pf. 20.540/2023/4]

Decision 3483/2023 (XI.7.) AB Accessibility of the benefits of senior employees of the National Office for the Judiciary (OBH)

In his request for the issue of data of public interest, the petitioner requested the sending of data concerning certain benefits paid to the leaders of the National

Office for the Judiciary (OBH) in a breakdown by name and the year of payment. In its answer, OBH refused to grant the request for data because, in their view, these do not qualify as data accessible on public interest grounds. In its deci- sion, the Constitutional Court established that OBH as an organisation manag- ing public funds is under an obligation to provide information on the total amount of benefits paid to its employees and their background. However, it is not an un- necessary and disproportionate restriction of the right to access data of public interest when the controller refuses the request for data extending to the ben- efits of every employee in a managerial position. The final court judgment found a fair balance between the accessibility of data and the protection of personal data, hence it did not result in a violation of the petitioner’s right set forth in the Fundamental Law. Because of this, the Constitutional Court rejected the consti- tutional complaint.

Constitutional Court Decision 3359/2023 (VII. 5.) AB

The data generated in a contractual relationship between an association and third persons do not qualify as data accessible on public interest grounds, even if they concern the use of funds affecting the central budget.

The association received a state grant of 150 million forints to develop a visitor’s centre under one of the programmes of the agency for tourism, which amount was to be used to purchase real property, to obtain the venues of the planned investment, to prepare a feasibility study, to implement the required zoning clas- sification, to prepare constructions plans and to launch a public procurement procedure. After this, the petitioner submitted a request for the issue of data of public interest to the association and requested the issue of the purchase and sale contracts concerning the real property bought by the association. The as- sociation did not respond to and did not comply with the request for data of pub- lic interest.

The regional court deemed that in the absence of the relevant public service contract and a budgetary grant to finance the task, it cannot be said that the association would have been under an obligation to perform the public duty in- dicated. The regional court also established that the association supports the performance of the public duties indicated through its activities for the public good, hence the respondent cannot be regarded as an organ performing public duties. The contracts of purchase and sale concluded by the respondent can- not be regarded as data of public interest merely because they were concluded by the respondent. The association did not conclude the contracts requested to be issued by the petitioner with a subsystem of general government, but it pur-

chased real property from a third person out of the state grant paid, based on a grant contract concluded with a person belonging to the subsystem of gen- eral government. The data generated in a contractual relationship established between an association and third persons do not qualify as data accessible on public interest grounds, even if they are related to the use of funds affecting the central budget.

The Constitutional Court deemed that the court decision contested by the pe- titioner does not suffer from deficiencies that would raise doubts of unconsti- tutionality influencing the judicial decision in merit, or any fundamental issue of constitutional significance.

5.2 Court decisions

5.3 Court decisions concerning the freedom of information in 2023, in which statements of NAIH were referred to

Kúria Pfv. 20.087/2023/6., Issue of public interest, (Reference to statement NAIH/2017/2408/2/V)

The respondent’s responsibilities include the development of the documenta- tion of the review of Hungary’s National Energy and Climate Plan (NEKT) due in 2023. An independent part of this is the so-called final environmental assess- ment (SKV). In a request for data of public interest, the petitioner requested the respondent to issue data of public interest indicated in altogether four points.

The respondent informed the petitioner that the data requested to be accessed support decision-making, hence it is not in a position to send them. In their an- swer, they stated that the EU regulation for setting up the framework for consul- tation does not provide for a time limit; the draft of the first update of NEKT has to be produced by 30 June 2023; the submission would be preceded by social consultation; the decision on its process would be made later. The petitioner re- quested that the respondent be ordered to issue the environmental assessment produced for Hungary’s National Energy and Climate Plan.

The court of second instance, in the justification of its judgment upholding that of the court of first instance, sustained the petition referred to in statement NAIH/2017/2408/2/V of the Hungarian National Authority for Data Protection and the Freedom of information, in which the Authority declared that examining accessibility of environmental information as data of public interest in the regu- latory system of the Privacy Act leads to the establishment that the provisions re-

stricting accessibility to data supporting decision-making – Section 27(5)-(6) of the Privacy Act – cannot be applied to environmental information because their nature supporting decision-making is based not only on formal criteria, but also on those of content.

According to the judgment of the Curia, the respondent’s (controller) request for review is ungrounded, no specific justification for the reasons for restricting ac- cessibility was given in the specific case, the respondent referred to the fact that NEKT had to be reviewed based on EU regulations only in general and this re- quires the processing and reassessment of the SKV asked to be issued. The courts taking action correctly referred to the fact that legal regulations require the publication of the SKV. According to the Curia’s statement of principle, if a separate legal regulation requires the publication of a document containing data of public interest, the controller may not refuse access to the document by refer- ring to the data as supporting decision-making. General reference to the nature of the data as supporting decision-making without any specificities is insufficient for denying the issue of the data.

Kúria Pfv. 20.112/2023/5.– Issue of data of public interest, data of government meetings

On 6 January 2022, the petitioner submitted a request for data of public interest to the respondent (Prime Minister’s Government Office) requesting the electron- ic transmission of the dates of government meetings held in October 2009, the copies of the summaries of the meetings and the annexes thereto.

On 22 January 2022, the respondent extended the period open for granting the data request, then in its answer sent on 21 February 2022 refused compliance with the request based on Part IV of the justification to the Constitutional Court’s Decision 32/2006. (VII. 13.) AB.

In its earlier precedent-setting decision, Curia stated as a matter of principle that the obligation to provide data of public interest is independent of the type of organisation concerned, its ownership relations, its activities; the obligation to make data of public interest accessible is established merely by the fact of pos- sessing the data of public interest (Kúria Pfv.IV.20.911/2018/4.). In line with this, the Authority’s statement of 28 February 2022 declared that in general it is not an impediment to issuing the data that the data themselves do not relate to the operation of the organ performing the public duty in itself, or were generated in the context of its own operation, merely the fact that the data were in the pos- session of the controller (which was not disputed in the given case) in itself lays

the ground for the obligation to issue the data. Nevertheless, the courts taking actions did not violate any legal regulation when they did not order the petition- er to furnish additional evidence with regard to the nature of the requested data as data of public interest, or the activities of the respondent controller. Overall, it can be established that the requested data qualify as data of public interest, ir- respective of whether they apply directly to the activities of the respondents or were generated in relation to its activities.

Budapest Court of Appeal Pf. 20.236/2023/5. Issue of data of public interest – Accessibility of data of government meetings

The court of first instance correctly stated in its decision that the data requested to be issued in the lawsuit qualified as data of public interest not on the basis of Section 7(3) of the Administration by Government Act but under the provisions of the Privacy Act.[...] The Constitutional Court in its decision (32/2016 (VII. 13.) AB) stated on the one hand that the classification of certain data of government meetings cannot be regarded as anti-constitutional and on the other hand that pursuant to Section 7(1) of the Administration by Government Act, the meetings of the government are not public.[...] It follows that the data requested by the peti- tioner qualify as data of public interest, the capacity of the respondent as control- ler can be established and, furthermore, the data were not classified by a person or organisation entitled thereto in a procedure specified by legal regulations, they were not classified data, hence the data have to be issued upon request.

Budapest Court of Appeal Pf. 20.376/2023/4., Issue of data of public interest, Hungarian Association of Judicial Officers (MBVK) (case of the same subject matter: NAIH-2825-8/2022.)

By a request for data of public interest, the petitioner requested the respondent, the Hungarian Association of Judicial Officers (MBVK) to issue the contracts concluded with six legal entities in relation to the performance of its public duties, and any eventual contract amendments and annexes. The respondent denied the petitioner’s request stating that in its view the requested data qualified as per- sonal data as the data of natural persons can also be found in the contracts and that the contracts also contain trade secrets. It also stated that the entirety of the contracts as documents are not within the notion of data of public interest or data accessible on public interest grounds, hence the requested contracts cannot be issued even under a request for data of public interest.

In its judgment, the court of first instance ordered the respondent to issue the re- quested documents to the petitioner within 15 days obliterating the personal data in the documents. The court’s position was that pursuant to Sections 34/A(1), 250(1) and (2) of Act LIII of 1994 on Judicial Enforcement, the respondent doubt- lessly performs public duties when discharging its duties related to enforcement. In view of this, the data in its possession concerning its activities and financial management are data of public interest, which the respondent has to make ac- cessible to anyone. With regard to the personal data included in the contracts, the courts declared that even if the contracts requested to be issued have such content that, however, does not provide grounds for denying the issue of the en- tire document. The court also explained that the respondent must grant the re- quest to issue the data in such cases, while blocking the personal data.

The court declared that the legal regulation does not contain any restriction as to what extent of the data content of contracts subject to the disclosure of data can be requested; these contracts meet the notion of data of public interest and the petitioner lawfully requested their issue, in view of which the denial by the re- spondent was qualified as unlawful.

In its appeal, the respondent expressly acknowledged that it performed public duties. With regard to the accessibility of data of public interest, Section 26(1) and Section 3(5) of the Privacy Act are of decisive significance; this regulation does not specify the fact of managing public funds as a condition of performing public duties and indirectly as a criterion of having access to data of public inter- est. Based on the definition of the notion of data of public interest with regard to the right to access data of public interest, the following are of outstanding signifi- cance: - the requested information should be processed by the organ perform- ing public duties; - the data apply to the activities of the organ performing public duties, or be generated in relation to the performance of its public duties; - the data do not qualify as personal data. Based on Section 1 of the Privacy Act, the notion of personal data as set forth in Section 3(2) of the Privacy Act can only be applied to natural persons. Judicial practice has been consistent in that if in a lawsuit for access to data of public interest the respondent refers to the existence of a trade secret only in general, by invoking a legal regulation, this does not lay the grounds for the restriction of accessibility. The link between a trade secret and the blocking of personal data in the documents may only relate to the per- sonal data of natural persons, and therefore no inference can be drawn from this to the existence of a trade secret or the disproportionate injury by the disclosure.

Budapest Court of Appeal, Pf. 20.555/2023/6. (NAIH-873/2022, NAIH-977/2023) – Production of new data, formal reference

The respondent (Central Administration of National Pension Insurance – ONYF) was unable to prove beyond any doubt that they rejected the data request for well-grounded reasons based on Section 31(1) of the Privacy Act and that grant- ing the request would have qualified as the production of new data based on the criteria of Constitutional Court Decision 13/2019. (IV. 8.) AB. So the infor- mation requested by the petitioner qualified as data of public interest according to Section 3(5) of the Privacy Act processed by the respondent and the court of first instance ordered the respondent with good grounds to render them ac- cessible based on Section 26(1) and 28.(1) of the Privacy Act. In his request for data, the petitioner requested the detailed data of allowances disbursed by the ONYF for the years 2017-2022 in a breakdown. The respondent did not dispute that the requested information can be produced in its answer to the Authority, it even referred to the data processing steps required; the facts of the case did not have to be supplemented in this regard. The burden of proof with respect to the lawfulness and justification of the denial lay with the controller, i.e. the re- spondent. As a justification for denial, the respondent stated that it had to pro- duce new data to comply with the request and it was not under an obligation to produce the data. Consequently, based on Section 31(2) of the Privacy Act, it had to prove that generating the requested information was such a complex task which, in view of the justification of the Constitutional Court Decision, qualifies as the generation of new data, hence it does not process the requested data of public interest. It cannot be assumed that the required IT and legal knowledge was not available to the respondent that processed large quantities of personal and other data. The respondent did not state either in the lawsuit or in the pro- cedure before the Authority that providing the information would jeopardise its operation or eventually involve a disproportionate volume of work and would be abusive. Hence, it was not necessary to consider whether the right to access data of public interest could be restrictive in the interest of protecting a consti- tutional interest in accordance with the justification of the Constitutional Court Decision (paragraph [56]). Pursuant to the Constitutional Court Decision (para- graph [58]), the fact that the requested information of public interest is not avail- able elsewhere (data monopoly) has to be taken into account. In its procedure, the Authority attempted to clarify the accurate operations, data processing steps; however, in its answer the respondent did not specifically present the processing steps leading from the personal data to the requested information, it merely re- ferred to general mathematical and IT operations, on the basis of which, in view of the electronic processing of the data, it was not possible to make any conclu-

sions concerning the justification and the grounds for the denial. Nor could any conclusion be drawn as to what extent the described mathematical and IT oper- ations qualify as complex. In this respect, it must be taken into account that the respondent has processed the elementary (personal) data electronically, which was not disputed. So, the same processing operations which may qualify as complex on paper and involve a substantial workload can be carried out quickly and simply electronically with or without algorithms and functions for a person with IT qualifications, depending on the circumstances and the IT possibilities of searching and anonymisation. The information obtained in this way can be fil- tered, sorted and summarised in tables using the same operations. The neces- sary data of the tables can be summed by simply adding up the lines of the tables using IT methods (simple mathematical operations). In this context, it should be borne in mind that a request for the collection of the recorded data, their sort- ing according to specific criteria and arranging them in tables cannot fundamen- tally be denied according to the justification of the Constitutional Court Decision (paragraph [55]) Depending on the circumstances, it is possible that in posses- sion of a methodology known, based on an earlier request for data, the data re- quested by the petitioner should be perceived according to the justification of the Constitutional Court Decision (paragraph [49]) that the requested informa- tion “is ready and available”. The respondent failed to present any other spe- cific fact enabling the assessment of the processing steps. In its answers to the questions posed in the Authority’s procedure, it failed to make any statement of merit concerning the time and labour required for the operations, and the statis- tics used to process the data of pension payments. Instead, the respondent un- derlined both in the procedure before the Authority and the court its position that the required processing operations described go beyond simple mathematical or IT operations, however, this statement could not be checked in the absence of the presentation of the specific data generation steps. Without the possibility of checking the content of the reasons for denial, the denial of a request to ac- cess data of public interest with reference to the generation of new data proved to be a mere formal reference, which in the practice of the Constitutional Court is an impermissible restriction of the freedom of information, hence it is not lawful. In this context, the Budapest Court of Appeal underlines that under the justifica- tion of the Constitutional Court Decision {paragraph [61]}, it has to be examined with the greatest of care whether the data request is indeed for the generation of new data, which qualitatively differ from the processed data as denial of access to data of public interest may ultimately impede informed participation in debates on matters of public interest.

5.3.1 Further court decisions concerning access to data

Kúria Pfv. 20.041/2023/6. Issue of data of public interest: data to support deci- sion-making

According to the arguments of the respondent (Prime Minister’s Office) in the re- view proceedings, the procedure of furnishing evidence did not violate the law, but the court of second instance failed to enforce the constitutional criteria for ex- cluding access to the requested data with sufficient weight, which was an issue of substantive law affecting the legal basis of the petition. [...] In these cases, the point of departure is that preparation for decision-making by civil servants should be carried out freely, informally and free of the influence of the public as a safe- guard for the quality and efficiency of the work by civil servants [Constitutional Court Decision {21/2013. (VII. 19.), Justification [43]. [...] Once the decision is made, the principle of accessibility is again applicable to the data as a main rule, and – within the period specified in paragraph (5) – the data request may be de- nied only if the data support additional future decision-making or access to the data would jeopardise a lawful operation or the performance of the functions and responsibilities of organs performing public duties free of undue external influ- ence, thus, in particular, the free expression of the views of those generating the data in support of decision-making [Constitutional Court Decision {3190/2019. (VII. 16.) Justification [39]) [...] According to the four-step test, the data support- ing decision-making must be related to a specific decision-making procedure; the entire document irrespective of its content cannot be qualified as data sup- porting decision-making; instead of the document principle, the data principle has to be applied; the controller may not invoke so-called “criteria of conveni- ence”; the decision rejecting the data request must be justified in terms of con- tent and the court taking action must equally examine the grounds for denying the provision of the data and the deficiencies of its content based on the docu- ment constituting the subject matter of the data request.

Kúria Pfv. 20.509/2023/4. – Issue of data of public interest – data supporting fu- ture decision-making as the reason for refusal

The Curia had to come to a decision whether there is a reason to restrict acces- sibility based on Section 27(6) of the Privacy Act. [...] According to Section 27(6) of the Privacy Act, within the time limit of 10 years referred to in paragraph (5) – a request for access to data used for supporting decision-making may be refused after the decision is adopted, if

the data supports also future decision-making, or
access to it would jeopardise the lawful functioning of the organ perform- ing public duties, or the performance of its functions and powers with- out undue external influence, such in particular the free expression of its views generating the data during the preparatory stage of decision-mak- [...]

As the Curia also accessed the content of the report, it upheld the position tak- en by the court of second instance that the report fundamentally contained facts and data, whose issue would not in any way materially affect the lawful operation of the respondent, which has a professional staff, or the exercise of its functions and powers without undue external influence .[...] In this context, the Curia em- phasised that the accessibility of data of public interest has a constitutional role: to render the operation of the state and the use of public funds transparent and the report is expressly linked to this.

Kúria Pfv. 20.234/2023/3. Issue of data of public interest – threat to IT security

According to the interpretation of the law by the Curia, the following provisions of the Information Security Act, ensuring protection of the electronic system, facili- tate the attainment of this objective of the law: Section 1(1)(8) of the Information Security Act defines the notion of secrecy (the feature of an electronic informa- tion system that the data and information stored therein can be accessed, used or disposed of only by people authorised thereto and only according to their lev- el of authorisation).[...] The above provisions of the Information Security Act as the law referred to in Section 27(2)(c) of the Privacy Act clearly state who is au- thorised to access data stored in a closed system depending on security clas- sification and under what conditions and that the principle of secrecy must be implemented through the entire life cycle with a view to the protection of the na- tional data assets.[...]

According to the Curia’s interpretation based on Article 28 of the Fundamental Law, bearing in mind the objectives indicated in the Recital to the Information Security Act, an interpretation of the provisions ensuring the protection of the electronic information system containing the register of personal data and resi- dential addresses at the highest level, which would render protection contingent on which element of the system architecture it applies to, goes against com- mon sense.[...] Although the laws restricting the freedom of information should be interpreted strictly, in the given case under a different interpretation, the full protection of the electronic system containing the register of personal data and

residential addresses cannot be guaranteed, this restriction is expressly permit- ted by Section 27(2)(c) of the Privacy Act for the prosecution or prevention of criminal acts and it means a legitimate restriction of the accessibility of certain data of public interest.

Budapest Court of Appeal Pf. 20.369/2023/3. Issue of data of public interest – data of hospital infections – National Centre for Public Health and Pharmacy

Exemption from the obligation to make data public cannot be based on the argu- ment that the disclosure of the data – without knowledge and assessment of the additional information necessary for the analysis of the data – leads to incorrect interpretation or conclusions.

Reference to the fact that the requested data were unavailable was not made in the course of the lawsuit, only in the appeal based on Section 14(1) and (2) of Decree 20/2009. (VI. 18.) EüM on the prevention of infections related to health- care and the professional minimum criteria and supervision of these activities. [...] Based on all this, the obligation of electronic publication does not influence the requirement of meeting the petitioner’s request for data in view of the fact that not even the respondent argued in the lawsuit that from the links indicated in its answer sent to the petitioner in the course of the preliminary procedure, the summary reports of the infection data of the given years were accessible.[...] The Budapest Court of Appeal agreed with the position of the court of first instance that the reference that the publication of the number of infections in individual healthcare institutions and their eventual propagation could be misleading, and that there could be a risk that the misinterpretation of information on hospital in- fections would result in decreased confidence in certain institutions could not be used by the respondent for exemption from the obligation to issue the data. [...] The Curia (in its judgement Pfv. 21.081/2018/5 stated that although the court may not examine the purpose of lawful processing, it attached importance to stating in view of the specific nature of the data that the accessibility of data of public interest is closely related to the right to freely express opinions, which right should be exercised with responsibility.

Budapest Court of Appeal Pf. 20.385/2023/4. – Meeting a request for data of public interest by inspection

The respondent did not dispute that it was an organ performing public duties or that the data wished to be accessed by the petitioner where data of public inter-

est, so it had to be examined whether the possibility of inspection offered by the respondent qualifies as meeting the petitioner’s request to access data of pub- lic interest.

The court of second instance emphasized that according to Section 30(2) of the Privacy Act, data requests shall be complied with in a comprehensible manner and if the organ performing public duties that processes the data in question is able to bring it about without disproportionate difficulties in the form and manner requested by the requesting party.

During the litigation, it was not disputed that complying with the request in the manner indicated by the petitioner would not have given rise to disproportionate difficulties for the respondent (an organisation performing public duties), hence it should have met the data request in the manner indicated.

6. Access to personal data accessible on public interest grounds

Since the General Data Protection Regulation (GDPR) has become applicable in May 2018, the joint and interactive application of the rules on the protection and the accessibility of data poses particular challenges for the organs performing public duties as controllers. The Authority has addressed this issue with empha- sis already in its 2022 report: whether personal data should be issued and if so, under what conditions and for what processing purposes they may be used, dis- seminated and made public.

Only law may make personal data public on public interest grounds; such a pro- vision is, for instance, Section 26(2) of the Privacy Act, but so are the provisions of the sectoral laws pertaining to the legal status of certain persons discharging public duties. However, the fact that the personal data are accessible on pub- lic interest grounds by provision of a law does not mean that the provisions and principles applicable to the protection of personal data would not at all be appli- cable to their processing. In the 21st century, the accessibility of data and the associated consequences are to be interpreted and enforced differently, despite the fact that the requirement of technological neutrality is enforced in the course of processing; however, for instance, ensuring the right to be forgotten – on the worldwide web, social media and applications – pose additional challenges to the data subjects of data accessible on public interest grounds, their controllers and publishers.

There are other instances related to the accessibility of data, which merely give rise to violations of the right to informational self-determination; these are the

cases when unauthorised third person outsiders have access to personal data to be protected in official documents published on the Internet, which otherwise qualify as data of public interest (e.g., submissions for municipalities, minutes of meetings of the body of representatives, decisions or matters disclosed orally during a public meeting). The accurate delineation of data protection and data accessibility requires particular care and professional skill in these municipal matters concomitant with multi-level, multi-dimensional accessibility, for which not only the municipal executive and the civil servants, but the body of repre- sentatives, the members of committees, the persons lawfully present in public or closed meetings have joint but also individual responsibility.

Another contemporary feature is the expression of opinions on social media plat- forms and the related processing of the data, whereby a new data processing, disclosure and publication is implemented using personal data accessible on public interest grounds, or have already been made public or disclosed by the data subject, as well as non-public personal data, which has paramount con- sequences for personality rights in addition to the right to informational self- determination. In general, the perpetrators of infringements, shrouded in the benevolent shadow of anonymity, ride roughshod through others’ dignity, enter- ing the swamp of areas beyond the law, with no regard for accountability.

Section 1 of the Privacy Act ensures that (personal) data accessible on public interest grounds be accessible and disseminatable with a view to ensuring the transparency of public affairs in line with the Recital to the Act. The processing, use and publication of data must be in line with this purpose in view of the princi- ples of data processing already referred to, such as data minimisation, the right to be forgotten, etc.

6.1 Enforcement of data subject’s rights with regard to personal data published in Magyar Közlöny (Hungarian Official Journal) or submissions of bodies of representatives

In an authority procedure for data protection, the data subject wished to have his name (personal data related to his civil service appointment) from the 2013 volume of the Hivatalos Értesítő (prior to the application of GDPR), which is an annex to Magyar Közlöny. The purpose of processing is that Hungary’s official journal, including the Hivatalos Értesítő, which is its annex, be accessible to the public continuously and without distortion for reasons of legal security, which may be deducted from Article B)(1) of the Fundamental Law. The controller could not comply with the erasure request based on Article 17(2)(b) of the General

Data Protection Regulation and it notified the petitioner of this. The issues of the Hivatalos Értesítő cannot be removed from the website and its notices can- not be subsequently modified. The data subject withdrew his request. [NAIH- 5869/2023]

In another authority procedure, the data subject requested the erasure of his name and his former work e-mail address from a document published on a mu- nicipal website as part of a submission of the body of representatives. The mu- nicipality failed to substantiate the priority of its interests in processing the data, whether it is necessary to further disclose personal data generated years before in 2011 in order to exercise the right to the freedom of expression and obtain- ing information. The municipality also failed to state the specific public affair for the debate of which it would be important to continue to maintain the publication of the data on the Internet today. The Authority found the request for erasure as well-grounded to ensure “the right to be forgotten” and established that the rejec- tion of the request was unlawful. [NAIH-5517/2023, 307-1/2024]

6.2 The data of municipal officials accessible on public interest grounds and the conclusions that may be drawn from them

A mayor wanted an answer to the question whether the net amount of payments to municipal representatives, the mayor, the deputy mayor and the external mem- bers of committees under various headings (emolument, reward, cost reimburse- ment, etc.) can be issued upon request for data of public interest. In the case of the requested data accessible on public interest grounds, their gross amount was sent to the person requesting them, but with regard to the net amount, cer- tain individual benefits subject to Act CXVII of 1995 on Personal Income Tax (hereinafter: Income Tax Act) qualify as personal data. Gross personal dues (wages, emoluments, rewards, etc.) include the various taxes and contributions specified by legal regulations (personal income tax, pension insurance, health insurance and labour market contributions). It is a fact that gross personal dues consist of the net dues received by the given employee and the public dues pay- able by him. The Income Tax Act separately provides for the various personal income tax benefits, which reduce gross income with regard to individual per- sons. As to the persons indicated, the net income requested as data accessi- ble on public interest grounds – just as gross income – can be issued in a single amount to the person requesting the data as in the case of the gross income, it is not detailed what income element it consist of, nor the taxes and contributions to be deducted are detailed per person when issuing the data. [NAIH-1563-2/2023]

6.3 The mayor’s school qualification

A municipal executive rejected the data request concerning the school qualifi- cation of the mayor of a village. The person requesting the data argued that the mayor named his qualifications in the course of earlier election campaigns, as well as in his statements. In the campaign, he referred to his degree, his gradu- ation from a doctoral school and his professional skills. Based on the legal reg- ulations in force, it can be established that the school qualifications of a mayor qualify as data accessible on public interest grounds to the extent that the qual- ification is a precondition to performing a municipal task or filling a position. Accordingly, the data concerning the mayor’s qualifications do not qualify as data accessible on public interest grounds from the viewpoint of the Mayor’s Office as controller. It is a different case when the mayor discloses the data concerning his qualifications voluntarily or through another controller based on his clear con- sent. The Authority’s position is that in this case the data are accessible as data accessible on public interest grounds. According to the municipal executive’s an- swer, the mayor had disclosed his school qualifications in the course of the elec- tion campaign on flyers; however, the mayor did not confirm this. The Authority recommended to the mayor to consider providing the information to the person requesting the data, so that he as a person performing public duties, as an al- derman of the village, prevent that issues of integrity and reputation arise or be disputed in the local community. The data were not issued in the course of the investigation. [NAIH-3526-8/2023

6.4 Transparency of the decisions of the Public Service Arbitration Committee

The Authority received a question on the accessibility of the decisions of the Public Service Arbitration Committee. The relevant data request was rejected by the Prime Minister’s Office with reference to the fact that Act CXXV of 2018 on Government Administration (Government Administration Act) and Government Decree 69/2019. (IV. 4.) on the arbitration committee does not require the pub- lication or sending of the decisions. Although the procedure of the Arbitration Committee is limited to the legal relationship between the parties taking ac- tion in front of it, and the subject matter of the procedure related to the employ- ment relationship of the given government official, i.e. it was related to his private sphere, there might be a public interest in accessing the individual decisions of the Arbitration Committee as an organ performing public duties. If the Board taking action brought a decision extending to issues of principle, the president of the Arbitration Committee could decide whether to publish it on the website

as an Arbitration Committee decision of principle. The fact that no legal regula- tion requires the accessibility of data, it does not follow that they would not be accessible as data of public interest.6 According to the Authority’s position, the Arbitration Committee is required to comply with a request for data of public in- terest with regard to decisions made in procedures launched on a specific sub- ject matter, concerning a specific period, or on the basis of complaints against a given government organ in accordance with the provisions of the Privacy Act. Therefore, the Arbitration Committee has to send copies of its decisions con- cerning the individual case groups to the requesting party based on Section 29(3) of the Privacy Act, if so requested but only after their anonymisation cover- ing their case number in accordance with Section 30(3) of the Privacy Act.

If the requesting party lodges the data request with the government organ affect- ed by the decision, the government organ involved in the procedure as a party itself is under an obligation to issue the decisions of the Arbitration Committee concerning the specific subject matter, or individual case groups, in an an- onymised format as described above. With regard to the existence of the obli- gation to comply with the data request, it is not necessary to examine whether the organ performing public duties is a controller according to the definition in Section 3(9) of the Privacy Act, but whether the condition specified in Section 26(1) of the Privacy Act is met, i.e. whether the data requested to be accessed is actually processed by it.7 [NAIH-3218-6/2023]

7. Transparency of municipalities

7.1 The rights of municipal representatives under the law

The Authority examined the issue of the delineation of the right of municipal rep- resentatives to obtain information and of their right to access data of public inter- est or data accessible on public interest grounds in several notifications, i.e. the joint application of the provisions of Act CLXXXIX of 2011 on Hungary’s Local Governments (hereinafter: Municipalities Act) and the Privacy Act. According to the Authority’s legal practice, the municipal representative can have access to data of public interest and data accessible on public interest grounds, the same way as anybody else; the provisions of the Privacy Act are to be applied to the data request. The rights specified in Section 32(2) of the Municipalities Act to which municipal representatives are entitled do not grant additional rights to ac- cess data of public interest and data accessible on public interest grounds.

It is a different case, if the law or the municipal decree enacted based on authori- sation by law authorises the representative to have access to some kind of data and to process them with a view to performing his public duties or if the body of representatives of the municipality entrusts him individually or as a member of a committee with the planning, organisation or control of a task within the com- petence of the municipality. In such cases, the representative may process the personal data indispensable from the performance of the tasks and those listed in legal regulation complying with the principle of purpose limitation. The rules of the General Data Protection Regulation and the Privacy Act apply to all other processing operations involving the processing of personal data, including re- quests for information in their capacity as a representative. The capacity of be- ing a representative does not in itself authorise a person to access and process personal data.

In relation to a submission, a member of the financial committee of the municipal- ity requested the inspection of the pay list of public employees and civil servants employed by the municipality, the list of their fringe benefits and their base docu- ments. The Authority pointed out what was explained above and called the at- tention to the rules applicable to the tasks of the financial committee as set forth in the Statutes of the Body of Representatives of the Municipality (hereinafter: Statutes) as a municipal decree. In that specific case, the financial committee and its member could act within the powers specified by the Municipalities Act and the Statutes not by the Privacy Act, but even in this case attention has to be paid to the accessibility of data to be protected, their anonymisation, if needed, and in the case of personal data accessible on public interest grounds to compli- ance with the principle of purpose limitation in the context of their dissemination. [NAIH-5878-2/2023]

7.2 A case of tenement flat rental

The question arose in relation to a municipal representative who was not a member of a committee set up by the body of representatives whether he could inspect the documents laying the foundation for rentals with regard to the mu- nicipality’s tenement flats. In the cases of tenement flat rental, with emphasis on rental based on welfare issues, the committee processed not only the iden- tification data of the natural person concerned, but also his other personal data related to his assets, family, welfare and health situation in order to make the de- cision. Pursuant to Section 32(2)(d) of the Municipalities Act, the representative may participate in the public or closed meetings of any committee set up by the body of representatives, of which he is not a member, and as a representative he may have access to the submissions and minutes of all the public meetings of any committee. However, with regard to the committee of which he is not a mem- ber, he may not have access to the submissions prepared for the agenda points of closed meetings and the data needed for decision-making. Based on Section 32(2) of the Municipalities Act, the representative has a right to participate in the closed meetings of committees with the right of consultation. While exercising this right, he may have access to the decision-making procedure, even though he does not directly participate in the assessment of individual cases. In this case, the Authority took the view that it was not necessary to have access to the documentation of the specific individual cases and the data therein for the rep- resentative exercising his powers according to the last sentence of Section 32(2) (d) of the Municipalities Act. [NAIH-5924-4/2023]

7.3 Regulation of requests for data of public interest in the Statutes

The Authority conducted an investigation against a district municipality because in its Statutes it included the determination of the mode of compliance with re- quests for data of public interest submitted by representatives within the powers of local legislation, pursuant to which, if the data request was of substantial ex- tent or involved a large number of data, it would be complied with through the inspection of documents. Sections 30(2) and 29(2) of the Privacy Act contains clear rules for compliance with requests for data of public interest; furthermore, the Privacy Act does not grant authorisation for the enactment of municipal de- crees to further specify the mode in which requests for data of public interest may be fulfilled. In relation to the municipal decree, the Government Office of the Capital City of Budapest underlined that the rights of representatives guar- anteed through the joint application of the Fundamental Law, the Privacy Act and the Municipalities Act may not be restricted with the regulation referred to, and municipalities are not authorised to enact municipal decrees with regard to the essential elements of content of the right to access and disseminate data of public interest as a fundamental right. In spite of the consistent position of the Government Office, the body of representatives adopted the decree (the amend- ment of the Statutes) as described above. With a view to avoiding the future violation of the fundamental right to access data of public interest and data ac- cessible on public interest grounds, the Authority made a recommendation to the body of representatives of the district municipality to annul the regulation re- ferred to.[NAIH-922-11/2023]

7.4 Transparency of the data concerning the lawful operation of the municipality

In a submission, a question related to the transparent operation of municipali- ties arose as to whether the call for compliance by a Government Office qualifies as data of public interest. When answering the question, the Authority’s point of departure was Constitutional Court Decision 32/1992. (V. 29.) AB, which states that the primary function of the freedom of information is to ensure the trans- parency of the state and control of decision-making by public powers. Pursuant to Sections 26(1) and (2) and 32 of the Privacy Act, the data generated in the course of government offices performing their tasks of compliance control are – as a main rule – data of public interest or data accessible on public interest grounds, to which the provisions of the Privacy Act are to be applied. In terms of the enforcement of the freedom of information, the Authority highlighted that in this case, an organ performing a public duty (Government Office) supervised another organ performing public duties (body of representatives of a munici- pality), i.e. the Government Office within the scope of its performance of pub- lic duties controls the activities of the body of representatives performing public duties. The purpose of the investigations is to re-establish lawful operation and to terminate an unlawful situation and the data relating to this are of public inter- est by virtue of the definition of the Privacy Act. Once the compliance procedure is closed and the call for compliance is made, the document is public, accessi- ble to anyone, if necessary after the anonymisation of the data to be protected. [NAIH-1678-2/2023]

7.5 Publication of data on rent arrears to improve the propensity to pay

The publication of the amount of the overdue rent for the tenement flat owned by the municipality and the name of the debtor on the website of the municipal- ity was subject to investigation. The body of representatives of a city munici- pality enacted a decree on publishing the names of debtors with overdue rent amounting to a million forints, outstanding for more than thirty days, as well as the amount of the debt on the website of the municipality as long as the debt ex- ists. With regard to the processing of personal data as carried out in this case (online publication), the Authority established that the controller municipality did not have the appropriate legal basis for processing as Act LXXVIII of 1993 on regulating the utilisation of real property held by municipalities, their rules, the rent of tenement flats and premises and certain rules for their disposal does not grant authorisation for the regulation of the processing of personal data at local level (the enactment of municipal decree), to which the municipality could have referred to as the legal basis of the processing objected to. In addition to estab- lishing the fact of unauthorized processing, the Authority also underlined in its statements made with regard to the purpose limitation of processing: judicial en- forcement used by the municipality was successful, hence there was no need for any further processing of the complainant’s personal data, in particular, for the publication of the personal data in order to enforce public interest. The Authority made a recommendation for the annulment of the relevant rules of the municipal decree, which the body of representatives complied with. [NAIH-2086-11/2023]

7.6 Disclosure of the data of a municipal employee

Based on a notification, the Authority investigated the publication of the person- al data of a person employed part-time by a municipality, who was also instru- mental in the operation of a workers’ hostel held by the municipality. As to the person of the notifier, the Authority established that according to the job descrip- tion included in his employment contract, he has been carrying out his tasks as a general legal staff member. The minutes of the meetings of the body of representatives and the statement of the municipal executive accessible to the public revealed that he qualifies as an exceptional public actor in the context of performing the public duties in operating the municipal workers’ hostel, hence he has an obligation to tolerate the purpose-limited publication of data accessi- ble on public interest grounds related to the performance of the public task: his name, the public task he carries out, his (planned) position and in relation to that, the amount of his (planned) and current wages. The notifier in his capacity as a person performing public duties, voluntarily undertook to operate the workers’ hostel of the municipality, hence accepted the publicity concomitant with his po- sition and his obligation to tolerate opinions and criticisms related to his activity. [NAIH-3279-17/2023]

7.7 Transfer of a request for data of public interest to the organ performing public duties processing the data

In an investigative case, the municipal executive of one of Budapest’s districts informed the Authority of having transferred the notifier’s request for data of pub- lic interest to the controller Kerületi Közszolgáltató Zrt. as the Mayor’s Office did not have the requested data and informed the notifier also of this fact. After this, the notifier submitted a request for an authority procedure for data protection to the Authority because, in his view, his personal data were forwarded to another independent controller without a legal basis. The Authority rejected the request and underlined the relevant rules of the Council of Europe Convention on ac- cess to official documents, which was promulgated in Hungary by Act CXXXI of 2009. Article 5(2) of the Tromsø Convention requires the controller to refer the request to the competent public authority, where possible, or to inform the data subject of the competent public authority to which he may address the request. The municipal executive forwarded the data request to the business organisa- tion held by the municipality that had the data in order to facilitate an outstanding fundamental right, the applicant’s access to information of public interest, which the Authority regards to be good practice for the best possible enforcement of the freedom of information. The decision is accessible on the Authority’s website based on the case number. [NAIH-1096-16/2023]

7.8 Publication of invitations and submissions prior to a meeting

In these cases, the notifiers objected in relation to the public meetings of bodies of representatives of municipalities that the invitations to and submission for the meetings were published on the websites of the municipalities only on the day preceding the date of the meeting, or not at all, and therefore the submissions under discussion were not accessible to the residents prior to the meeting.

In these specific cases, the Authority found that the Mayor’s Offices of the mu- nicipalities acted unlawfully because they published the invitations to and sub- missions for the meetings not within the time limit specified by the municipal decree pursuant to the Statutes of the municipality (hereinafter: Statutes) and the Privacy Act on the websites of the municipalities. Beyond this, the Authority also examined the provisions of the Statutes and determined that the time limit set in the Statutes governing the dispatch of invitations and written submissions to the representatives and their publication on the websites in view of Annex 1 II. 9 of the Privacy Act (“within two days prior to the meeting”) as unjustifiably short, jeopardising the freedom of information and it does not adequately facilitate the accessibility of the points on the agendas of the meetings and the submis- sions discussed there by the public prior to the meeting. On these grounds, the Authority made recommendations concerning the amendment of the Statutes to the municipalities, whose bodies of representatives put the recommendation to amend the Statutes on their agendas; one of them adopted a municipal decree concerning the amendment of the Statutes, while the other discarded the recom- mendation. [NAIH-2613/2023, NAIH-7613/2023]

8. Accessibility of data of public interest processed on the basis of the general administrative pro...

Earlier in its 2018 report, the Authority analysed the rules pertaining to two fun- damental rights – inspection of documents under the General Administrative Procedures Act and accessibility of data of public interest under the Privacy Act – in a separate point entitled “General Administrative Procedures Act vs. the Privacy Act, or public data in administrative procedures”. The Authority explained its position, according to which the fact itself that the data requested to be issued are otherwise used in an administrative authority procedure does not deprive these data from their character as data of public interest. Whether a restriction of accessibility is justified in view of the administrative authority procedure can only be assessed with regard to a specific case. In its final conclusion, the Authority established that the purpose of the restriction according to Section 27(2)(g) of the Privacy Act is not to restrict the accessibility of data generated in closed admin- istrative authority procedures.

According to the consistent opinion of the Authority, Section 33(3) of the General Administrative Procedures Act only sets forth the data types whose accessibility is subject to conditions. This section of the General Administrative Procedures Act does not contain any restriction on data of public interest or data accessi- ble on public interest grounds, all the provision requires is to render personal data or other protected data unidentifiable. The commentary on this section of the General Administrative Procedures Act also arrives at a conclusion, which is identical to the argumentation of the Authority, according to which the provision refers to protected secrets and documents containing other data protected by law (for instance, personal data). The reason for this wording of the provision is that if the documents contain data of public interest or data accessible on public interest grounds, anyone can access them without separate proof of authoriza- tion based on the rules of the Privacy Act.

Based on the practice of the court, it is also incorrect to interpret the legisla- tion, “when the organ performing public duties interprets the regulation under the Privacy Act and the General Administrative Procedures Act in a lex gener- alis – lex specialis relationship”. [Debrecen Court of Appeal Gf. 30.126/2016/5.] The judgment referred to also states that “The respondent had to take action in the specialised authority procedure according to the rules of the General Administrative Procedures Act; however, in the absence of the express prohibi- tion and restriction of the procedural act concerning this could not have affected the obligation of rendering the data of public interest accessible as set forth in

the Privacy Act; as Curia judgement Pfv.IV.20.455/2015/4 also pointed out, the fact in itself that the requested data of public interest are otherwise used in an authority or judicial procedure does not automatically deprive the data of their public interest character”.

In its judgement Pf. 21.108/2019/8, the Budapest Court of Appeal (annulled for legal technical reasons) established that only the provisions of the Privacy Act contain the rules applicable to access to data of public interest. This is distinct from inspection of the document of the administrative procedure based on the General Administrative Procedures Act regulated by its Sections 33-34.

The decision made in administrative authority procedures conducted accord- ing to the General Administrative Procedures Act represents data related to the performance of the public duty of a given organ, which is data of public interest based on Section 3(5) of the Privacy Act, with regard to which Section 33(5) of the General Administrative Procedures Act accurately specifies which authority decisions are accessible with what data content: “If a law does not restrict or ex- clude the accessibility of the decision, the final decision which does not include personal data and protected data, as well as the order annulling the decision of first instance and ordering the authority making the decision of first instance to carry out a new procedure, may be made accessible to anyone without restric- tion, once the procedure is completed.”

In one of its procedures, the Authority examined the accessibility of a minister’s opinion concerning the protection of heritage and world heritage upon a request for data of public interest. According to the position of the Ministry that holds the data, the requested data are needed to conduct an administrative procedure in progress before another authority, hence it is part of the documentation of this authority procedure governed by the provisions of the General Administrative Procedures Act. With reference to the fact that the requesting party was not a client in the authority procedure concerned, the Ministry refused to issue the requested document. The positions of the Authority and the Ministry have not come any closer, even though the Authority called attention to the fact that the data requested to be accessed qualify as environmental data, hence the restric- tion of their accessibility should be narrowly interpreted; in addition, the Authority highlighted the public interest in exploring this information.

The notion of “anyone” used in the General Administrative Procedures Act cor- responds to the definition of “anyone” as set forth in Article VI.(3) of Hungary’s Fundamental Law and Section 26(1) of the Privacy Act, which includes a client concerned.

The General Administrative Procedures Act grants the right of inspecting docu- ments for a client in the authority procedure, in the course of, and after the clo- sure of the procedure, while the Privacy Act provides an opportunity for any “third” party not concerned in the authority procedure to have access to the fi- nal anonymised decision, but only after the closure of the procedure. If a person concerned in an authority procedure – as part of the notion of “anyone” – re- quests data of public interest with regard to his own case from the organ per- forming a public duty, the Curia stated in its judgement Pfv.20.045/2023/7. that the data request of the requesting party concerning his own case does not pro- mote the transparency of public affairs, hence it does not meet the requirements set for requests for accessing data of public interest, so it cannot be qualified as a request to access data of public interest. The reason for this is that the purpose according to the Privacy Act cannot be interpreted through the data accessed by the client requesting the data against himself (Kúria Pfv.IV.20.419/2021/6.). The requesting party as client is entitled to exercise his rights as client according to the provisions of the General Administrative Procedures Act, whereby he can have access to the relevant data and information related to the case by way of inspecting documents. On the whole, access by the client to information linked to his own data cannot be reconciled with the social calling of the fundamental right, it does not contribute to the attainment of the goal declared in Section 1 of the Privacy Act, the enforcement of the right to access and disseminate data of public interest and data accessible on public interest grounds and the transpar- ency of public affairs in the subject matters under the scope of the law.

A notifier turned to the Authority because the Mayor’s Office (hereinafter: Office) denied granting his request for data of public interest, in which he asked for a copy of the memo prepared by the public area supervisor concerning the onsite supervision on the notifier’s terrace, based on a complaint related to the mu- sic played by a catering place close to the notifier’s residence (hereinafter: memo). The Office denied granting the data request, stating that compliance with the data request is impeded pursuant to Section 27(2)(g) of the Privacy Act as the notifier as client may have access to the requested document in accord- ance with the rules of document inspection according to Sections 33-34 of the General Administrative Procedures Act after his identification. Relative to this, the Authority found in the course of its investigation that there was no adminis- trative authority procedure in the case subject to the notification and that the re- quested memo contained all the information concerning the notifier. In view of this, it pointed out that the notifier’s request for sending the memo does not in fact qualify as a request for data of public interest as the notifier wished to ob- tain information on his own case. According to the Authority’s finding, the Office

should have identified the notifier’s request as one according to Section 15(3) of the General Data Protection Regulation, i.e. as a request for sending a copy of the notifier’s personal data processed by the Office and should have complied with that request in accordance with the provisions of Article 12 of the General Data Protection Regulation. The Authority ordered the Office to comply with the data subject’s request following the identification of the person of the notifier as needed. [NAIH-7974/2023]

9. Cases of restriction on accessibility

9.1 Trade secret

The requesting party wished to have access to specific data of contracts con- cluded by a business organisation in the exclusive ownership of the municipality with a third person; in the relevant investigative procedure, the Authority ex- plained that a given document (such as a contract or price quotation) may in- clude data, which do not belong to any of the data categories indicated in Section 27(3) of the Privacy Act (for instance, priced budget, know-how), or data which have been classified as a trade secret by the other party to the contract with the business organisation held by the municipality. The Authority summarised its position concerning the collision of trade secrets and the freedom of informa- tion in its recommendation issued under NAIH/2016/1911/V. According to the recommendation, business organisations at least the majority of which is held by the state/a municipality may not invoke trade secrets with regard to the pub- lic duty performed by them (including the management of public assets); at the same time, facts, information, solutions or data qualified as trade secrets are of paramount importance for a business organisation subject to market competi- tion because their corporate and economic plans and strategies are based on them, this information is the basis of their decisions, which ensure their place in the market, thus disclosure of such information may result in them being driven out of the market. Resolving the conflict between trade secrets and the freedom of information, Section 27(3) of the Privacy Act qualifies “quasi” trade secrets related to the budget of the central government and the local governments, the use of European Union funds, benefits and allowances involving the budget, the management, possession, use, utilisation and disposal and encumbering of cen- tral and local government assets, and the acquisition of any right in connection with such assets, as data accessible on public interest grounds with a view to ensuring the transparency of managing public funds. If the holder of the secrets (whether the municipal company or its contracted partner) took the necessary legal measures to keep the trade secret (e.g. express marking of parts concern- ing the trade secret and detailed explanation of the justification of protection), the business organisation held by the municipality and its contracted partner may not make it public without authorisation. If these data and protected information were to be accessed by the competitors of the business organisation in public ownership, or its contracted partner, it could result in the violation of the legiti- mate business interests of the contracting parties. [NAIH-6203/2023]

9.2 Generating new data

According to the practice of the Constitutional Court, the ordinary courts and the Authority, restriction of the accessibility of data of public interest is only possible at the level of the law, by ensuring the discretion and the obligation of the con- troller with a view to protecting the interests specified in the Privacy Act; criteria of convenience may not justify the rejection of a data request.

In the case under investigation, the notifier did not ask for the forwarding of a complete register, he only asked for access to a line of data, which can be que- ried with a simple IT query operation. In view of Constitutional Court Decision 13/2019. (IV. 8.) AB, Justification paragraph [55], the Authority explained: if the data request applies to the selection by queries according to specific criteria, of existing and processed (recorded) data and, for instance, organising them in a table, the request may not be denied. The request must be complied with, irre- spective of the form of recording and irrespective of whether the data has to be found through the review of the controller’s records and/or documents stored by the controller. Just as the controller may not deny compliance with the data request on the basis that it would require the review of the documented pro- cesses and the separation of the accessible and the inaccessible data in it. The Authority also underlined that mere administrative considerations may not result in the restriction of the freedom of information. [Constitutional Court Decision 12/2004. (IV. 7.) AB]

In summary, the Authority consistently holds the position that the performance of simple IT operations, such as query and adding up, do not qualify as the gen- eration of qualitatively new data. To comply with the data request constituting the subject matter of the case, there was no need to perform operations beyond simple IT, mathematical or other operations causing substantial difficulties. In the case of the data request under investigation, the subject matter was to query data stored, data that could be queried by simple (or additional) work as set forth in Constitutional Court Decision AB 13/2019. (IV. 8.), so compliance with the re- quest did not require the obtaining or collection of new data from other organs, the provision of explanations or drawing conclusions.

A merely formal reference to Constitutional Court Decision 13/2019. (IV. 8.) AB without the actual examination of the content of the individual issues of the re- quest for data for public interest and of the answers to be given to them quali- fies as undue restriction of a fundamental right set forth in Article VI.(3) of the Fundamental Law clashing with Article I.(3), and therefore it is anti-constitutional. [NAIH-9111-2/2023]

9.3. Government Integrated Portal for the Disclosure of Data of Public Interest (KIKAP Portal), Authority Integrated Portal for the Disclosure of Data for Public Interest (HIKAP Portal)

In the investigations of the Authority based on complaints against the operation of the HIKAP and KIKAP Portals, all the complaints objected to the fact that the data of public interest or data accessible on public interest grounds made public through an URL were accessible for 15 days after uploading, thereafter the data were archived and erased after 90 days. The data of public interest “made public” on the HIKAP and the KIKAP Portals are accessible exclusively to the request- ing party or to the person who has the URL sent by the controller for download- ing the data, for 15 days.

The controller (the organ issuing the data) does not monitor whether the request- ing party receives the data or document requested to be accessed by him. The requesting party has to notify that he is unable to access the requested docu- ment for some reason, in which case the controller sends a link again to the e- mail address of the requesting party. An additional problem discovered in the course of the investigation was that the KIKAP and the HIKAP systems automat- ically place two watermarks on the given document: the e-mail address of the re- questing party and the KIKAP caption. According to the controllers, the purpose of this is the “one step identification” of the requesting party.

According to the position of the Authority, the watermark applied on documents issued upon requests for data of public interest – even if the watermark does not block the data of public interest in a given case – impedes the right to dissemi- nate data of public interest as ensured by the Fundamental Law, particularly if the watermark also includes the personal data of the requesting party (such as his e-mail address). [NAIH-7525/2023., NAIH-44/2023., NAIH-584/2023.]

9.4. Portal used by the Hungarian Association of Judicial Officers (MBVK) to comply with data requests

According to a complaint related to granting a data request, the download did not start when clicking on the “Download” button, and the series of data disap- peared. The complainant also objected to the fact that he could have been able to download the answer uploaded for the data request only once within a period of two weeks, and that the watermark running across the entire page, including his personal data (his name, the date of the data request and his e-mail address) blocked one of the key data.

To provide data of public interest electronically, MBVK developed a portal for providing data. According to MBVK, its advantages include the minimisation of data loss, an increasingly transparent form of the uploaded materials and com- plete protection of the personal data of the requesting parties. The provider of the data receives confirmation of the downloads sent to the users. At the same time, the controller does not ascertain whether the requesting party has actually accessed or downloaded the data of public interest. As a result of the investiga- tion, the watermark is no longer applied and downloading the uploaded docu- ments is no longer restricted.

9.5. Portal to grant data requests used by the Supervisory Authority of Regulated Activities (SZTFH)

The notifier objected to the fact that SZTFH answered his data request in a for- mat, which he could not access and the answer was archived. The notifier did not receive any information about how long the answer would be accessible and how many times could be downloaded.

The HIKAP Portal is used for uploading data of public interest and data accessi- ble on public interest grounds made public through compliance with requests for data of public interest and for sending them to the requesting parties. In addition, SZTFH cited the rationalisation of internal administrative operations and increas- ingly efficient, more secure and faster management of cases as arguments in favour of the use of the system. The requesting party receives the URL for data access and information on legal remedy in a letter sent to his e-mail address pro- vided in the course of requesting the data.

As a result of the investigation, SZTFH has modified the general operation of the HIKAP Portal so that the answer to the data request is accessible for a year fol- lowing publication on the portal, after which the data content is archived for 90 days.

10. The accessibility of environmental data

Similarly to previous years, controllers mainly refer to Section 27(5)-(6) of the Privacy Act when rejecting data requests for environmental information.

The notifier requested an expert document from the municipality of a city with county rights which contained the results of a hydrological test of an area, which the municipality intended to sell subsequently, and for which a water rights li- censing procedure was also in progress. The municipality justified the rejection of the data request stating that the requested data supported decision-making. In its call, the Authority explained that an organ performing public duties may ap- ply Section 27(5) of the Privacy Act to restrict accessibility only with regard to a procedure aimed at decision-making within its own responsibilities and powers. The Privacy Act disallows an organ performing public duties to restrict access to the data of public interest it processes by reference to a procedure in progress before any authority. Only the head of the organ conducting the procedure is in a position to carry out the balancing test required by Section 30(5) of the Privacy Act to assess whether the restriction of accessibility is necessary for the lawful and professional operation of the organ he heads.

The municipality presented that the data requested by the notifier were also needed for an eventual purchase-and-sale procedure, in which the municipal- ity would be the seller. According to the position of the municipality, the expert opinion contains statements that are difficult to interpret without the appropri- ate expertise. In its call, the Authority explained that according to the consist- ent practice of the Authority and of the courts the comprehensibility of the data may not influence the accessibility of data of public interest. In its judgement Pfv. 21.081/2018/5., the Curia declared that “Even the respondent may contribute to the correct interpretation. Nevertheless, eventual difficulties in interpretation in themselves do not provide grounds for denying the issue of the data.”

The Authority also underlined that the data requested by the notifier qualify as environmental information pursuant to Section 2(a) of Government Decree 311/2005. (XII. 25.) on the order of public access to environmental information. Based on the consistent practice of the Authority and of the courts, the pub- lic interest in compliance with requests to access environmental information is particularly significant: “the appropriate protection of the environment is indis- pensable for human well-being and the exercise of fundamental human rights, including the right to life. It is a fundamental right that everyone has a right to live in an environment appropriate for his health and well-being, and everyone indi- vidually, as well as together with others, has an obligation to protect and improve the environment for the benefit of current and future generations. To ensure this right of citizens and to enable them to meet this obligation, information on envi- ronmental affairs must be made accessible to them, they must be granted the right to participate in decision-making, hence in environment-related cases in the given case, the deepening of the accountability and transparency of decision- making is more important than trade secrets, and through this, the reinforcement of the support by the public of decisions. Because of the interest of society in safeguarding the environment, access to data on environmental pollution and the condition of the environment enjoys priority over safeguarding trade secrets”8. In view of the fact that the municipality wished to sell a protective zone desig- nated for the intensive protection of drinking water supply – naturally dependent on the result of the procedure for obtaining a water rights permit – the public in- terest in the accessibility of the data supporting the municipality’s decision con- cerning the purchase-and-sale was of particular significance in the Authority’s view, hence it called upon the municipality to comply with the data request. The municipality acted as called upon, hence the requesting party had access to the requested data. [NAIH-1387/2023.]

In another case, the subject matter of the notifier’s data request was the expert opinion, on the basis of which the trees were cut down on Siófok’s Silver Beach. The controller, a limited company, rejected the data request based on Section 27(5) of the Privacy Act. According to their position, it was to be feared that the inappropriate publication of the data could either impede the implementation of the decision or make it substantially more difficult and they wanted to avoid any disruption to the works. The Authority established that the data request was an- swered one day after the trees were cut down. On the day of the submission of the data request, it could have been an acceptable justification for restricting accessibility that “in other cases, it occurred several times in Hungary that cer- tain individuals attempted to physically prevent the implementation of such deci- sions”. The decision on the restriction of accessibility was made after the trees were cut down, i.e. after the implementation of the decision. The balancing test according to Section 30(5) of the Privacy Act must be carried out even when re- stricting the accessibility of data supporting decision-making based on Section 27(5)-(6) of the Privacy Act. The extraordinarily significant public interest in the accessibility of environmental data should have been included with a decisive weight in the balancing test carried out by the company after the trees were cut down, because the decision was made after the cutting of the trees. The com- pany complied with the Authority’s call and issued the requested data to the re- questing party. [NAIH-575/2023]

Similarly to previous years, the Authority examined non-compliance with the ob- ligation to provide or to transfer information as set forth in Section 12(6) in the Environment Protection Act also in 2023. The requesting party asked for the re- sults of measuring the level of air pollution ordered by a municipality of a city of county rights or any of its municipal companies, the evaluation of the results and the minutes containing these data from the municipality. The municipality justi- fied the rejection by stating that it did not have the requested data at the time of granting the data request. It also stated that it did not transfer the data request to the organ holding the data, because as the principle of the measurement, the municipality as contracting party has a priority right preceding anyone else to access the measurement data. The Authority established that the municipality did not violate the notifier’s right to access data of public interest when it failed to comply with the data request as it did not have the requested data, it had not yet received them from the organ carrying out the measurement. However, the municipality acted unlawfully when it failed to forward the data request to the or- gan holding the data and failed to provide information to the requesting party on the identity of the organ processing the data. According to Section 12(6) of the Environment Protection Act: “If the contacted organ does not have the requested environmental information, it has to send the request concerning access to the information to the organ that has the environmental information and it has to no- tify or inform the requesting party about the organ holding the environmental in- formation from which to request that information.”

Neither the Privacy Act, nor the Environment Protection Act contains any provi- sion, which would exempt the organs originally receiving the data request from the obligation to provide information or transfer the data under certain condi- tions. According to the municipality’s position, the data were not yet final, hence the requesting party could not be informed of who to turn to for the measured results of the level of air pollution as requested, nor was it possible to forward the data request to the company producing the data. The Authority informed the municipality of its contrary position concerning access to raw environmental in- formation. According to Section 51(1) of the Environment Protection Act: “Data concerning the state and use of the environment should be processed according to the legal regulations concerning data of public interest.”

This means that raw data concerning the level of air pollution yet to be evalu- ated are also data of public interest because they concerned the state and use of the environment. It may happen that the evaluation or validation of the raw data leads to results different from the original data. It may be a genuine ques- tion whether data, which may still change, should be issued. Hungary is party to the Convention on access to information, public participation in decision-making and access to justice in environmental matters adopted in Aarhus on 25 June 1998 (hereinafter the Aarhus Convention), which was promulgated by Act LXXXI of 2001. According to the implementation guide of the Aarhus Convention, the Compliance Committee of the Convention and the decisions of the European Court of Justice, the notion of environmental information is to be interpreted broadly. The Compliance Committee of the Aarhus Convention found in case ACCC/C/2010/53 that non-compliance with data requests concerning raw data violates Article 4(1) of the Aarhus Convention. According to the Convention, the notion of environmental information is broad, it is not limited to processed data. The Compliance Committee recommends that if an organ discharging public du- ties has doubts concerning the issue of raw data, they should notify the request- ing party that the environmental information made available is raw data, they were not yet processed in accordance with the rules applicable to the processing of raw environmental data when they were issued. Therefore, organs performing environmental duties must issue raw air pollution data to the requesting parties. The Municipality should have forwarded the data request to the organ process- ing the raw data or it should have informed the requesting party about which or- gan processes the raw air pollution data. Naturally, the information could have included a warning that the evaluation of the data processed by the organ indi- cated has not yet been completed. [NAIH-4044/2023]

11. Matters of education, the transparency of public education

In 2023, the largest number of data requests was again submitted in relation to the phenomenon of teacher shortage. In addition to the transparency of educa- tion, the Authority attaches outstanding importance to taking other fundamental children’s rights into account and emphasising them, hence the Authority takes the position that there is an outstanding public interest in accessing the data requested in relation to this subject matter because of the children’s right to educa- tion. The exploration of problems and challenges related to education affecting the entire society at systemic level and conducting a public debate on these is- sues are in the interest of the public, in the interest of children, and also in the interest of organs and persons performing public duties involved in educational decision-making.

11.1 Statistical data of teachers and vacancies in a school district

The notifier submitted a request for data of public interest to a School District Centre in Budapest, asking for the accurate number of full-time and part-time teachers, teachers of retirement age and retired teachers in a breakdown by age, school subject and educational institution, as well as the number of vacan- cies unfilled on the first day of the academic year in a breakdown by subject and educational institution. The data request also extended to the number of teach- ers dismissed in one of the high schools on 30 September 2022, the teachers’ teaching qualifications and the impact studies related to their dismissal and the documents supporting decision-making drafted in-house in this context. The in- vestigation revealed that the school district failed to comply with the data request because of an error in administration, but later, after an extension of the dead- line, it issued the data it processed to the requesting party. [NAIH-3968/2023]

Parents and parents’ organisations pay particular attention to the issue of wheth- er teachers of adequate qualifications teach the students and stand in in classes. The notifier posed questions to the School District Centre concerning the issue of teacher shortage, which partially refused to comply with the data request in- voking Constitutional Court Decision 13/2019. (IV. 8.) AB. In the case of the insti- tutions of public education maintained by the school district, the data requested included, among others, the permitted number of the teaching staff, the teach- ing positions filled in, the number of persons pursuing educational and teach- ing activities without a tertiary teaching degree and the permanent substitutions (overtime work) assigned to teachers. The request for data of public interest also included questions on how many classes did not have a class breakdown according to the pedagogical programme because of vacancies or the employ- ment of teachers without the necessary qualifications and how many classes were held without professional substitution in the institutions in academic year 2021/2022 based on KRÉTA records.

In the context of the Constitutional Court decision invoked, the Authority under- lined that performing simple sums does not qualify as the generation of new, qualitatively different data. This Constitutional Court decision cannot be applied as an automatic reason for rejection, because the data can be produced without physically finding the requested data one by one, the data are electronically avail- able, and the generation of new, qualitatively different data, explanations and conclusions beyond the data already processed are not needed for compliance with the data request. Compliance with the data request necessarily requires some labour which, however, is concomitant with ensuring the fundamental right to access data of public interest by the institution. Accessibility may be restricted only at the level of the law for the protection of interests specified in the Privacy Act; considerations of convenience may not constitute a basis for rejecting the data request. The requested data – which the requesting party only requested as statistical data without names – are accessible also as personal data acces- sible on public interest grounds for each teacher. No matter on the basis of what legal regulation or legal relationship teachers are employed, the responsibilities, jobs and other personal data linked to the performance of public duties of each of them is accessible on the basis of Section 26(2) of the Privacy Act.

As to the issue of substitution, the Authority’s position was that if, in addition to performing his job, a teacher has to carry out tasks that are part of somebody else’s job for a transitory period based on the order of the employer, this affects his tasks, job and performance of public duties, which are also data accessible on public interest grounds based on Section 26(2) of the Privacy Act. Also in the case of teachers substituting for others, the data concerning their qualifica- tions are definitely data accessible on public interest grounds based on Section 26(2) of the Privacy Act, even if the employer of the substitute teacher is anoth- er institution. This means that with reference to Section 26(2) of the Privacy Act, requesting parties are entitled to have access to the identity, education and qual- ifications of substitute teachers.

Beyond requests to access individual data of public interest, another method of accessing data of public interest and data accessible on public interest grounds is the electronic publication obligation of organs performing public duties, in this case, the educational institutions. Pursuant to Section 23 of Government Decree 229/2012 (VIII. 28.) on the implementation of the Act on National Public Education, educational institutions have to publish data on the education and qualifications of teachers, the number of teaching assistants, their education and qualifications based on the jobs filled, on the dedicated site of KIR, as well as on their websites. Requesting parties can find out whether substitution was docu- mented as professional or non-professional in two different ways. If they only wish to have access to summary data, for instance, on the ratio of professional/non-professional substitutions on a given day/week/month, the institution is under an obligation to issue the data as data of public interest. If, however, the data is requested with regard to a specific teacher, as it is personal data, it will be accessible as personal data accessible on public interest grounds based on Section 26(2) of the Privacy Act. In the case of a teacher standing in for another, the fact whether he is standing in as a teacher specialising in the given subject or not, hence the substitution be considered as professional or non-professional, also qualifies as other personal data related to the performance of public duties. It is a separate issue whether, despite the fact that a teacher is substituted by a non-specialist teacher, the institution still books the substitution as a profession- al substitution. Such data are also accessible as data of public interest because that too is a recorded data processed by the school regarding its activities. As a result of the Authority’s call, the School District issued the data it processed, while the requesting party was referred to the respective institution with regard to data whose exclusive controller was the institution of public education con- cerned. [NAIH-7384/2023]

11.2 Accessibility of teachers’ education and qualifications

Another notifier wished to know whether the five special needs teachers named in his data request had the remedial educator or conductor qualifications ade- quate to the type and severity of his child’s special needs and what kind of le- gal relationship the remedial educator had with the school. The Authority took the position that with reference to Section 26(2) of the Privacy Act the request- ing party is entitled to have access to the identity and the qualifications of the teachers whether they have the specialised qualifications adequate to the type of special educational needs, the tasks they perform, the tasks they were en- trusted with, the contract of assignment itself and, if any, the relevant invoices as well. The Authority also explained that the Privacy Act does not know the no- tions of personal request for data or data request for private interest. If the sub- ject matter of the data request is data of public interest and data accessible on public interest grounds specified under Section 3(5)-(6) of the Privacy Act, the request qualifies as request for data of public interest, irrespective of the objec- tives and circumstances of the person requesting the data or of the data request. Such objectives and circumstances cannot be examined when complying with the data request, nor can they constitute an impediment to issuing data, which are otherwise accessible. According to the Authority’s position, the use of the personal data accessible on public interest grounds requested in procedures be- fore courts or authorities complies with the principle of purpose limitation. [NAIH- 8522/2023.]

11.3. The transparency of applications for public education development, accessibility of contracts

The subject matter of another submission was access to all the contracts con- cluded by the municipality and generated in the course of administering the application for the “Development of the natural science methodology and in- struments of János Arany Primary School and High School”. In this case, both the School District Centre and the Municipality declared that they did not man- age the contracts. While under investigation by the Authority, the School District stated that they did not receive the contracts desired to be accessed from the Municipality (they only got them on CD, which was damaged and the documents on them could not be downloaded), hence the School District Centre did not have the requested contracts in its possession either electronically, or signed on hard copy, or in an editable electronic file. According to the answer of the Municipality, the operation of institutions of public education, including the János Arany Primary School and High School, became tasks of the school district as of 1 January 2017, based on legal regulation. Because of this, the performance of tasks related to the application referred to was the responsibility of the School District Centre. In view of the fact that scrapping has not taken place according to Decree 78/2012. (XII.28.) BM on issuing the uniform archiving schedule of mu- nicipal offices, the municipality sent the contracts related to the administration of the application to the requesting party by e-mail as a result of the Authority’s procedure. [NAIH-3967/2023.]

11.4 Accessibility of the division of school subjects

In a request for consultation, it was asked whether school subject divisions could be requested from the School District in a request for data of public interest. According to the Authority’s position, the school subject division contains data of public interest and personal data accessible on public interest grounds. Once the school subject division is prepared, it is managed by the school and, after 15 August, by the school and the operator of the school. However, not all data of public interest are accessible. This means that prior to approval by the operator, the document may qualify as a document supporting decision-making accord- ing to Section 27(5)-(6) of the Privacy Act, just as is the case after approval, if the data also supports future decision-making, or if access to it would jeopardise the lawful functioning of the organ performing public duties or the performance of its functions and powers without undue external influence. However, in each case, the organ performing public duties has to make reference to the circum- stance that restricts accessibility. Based on Section 28-30 of the Privacy Act, the – approved – school subject division may be requested from the School District. [NAIH-6234/2023]

11.5 Issue of the data of class sizes and regular child protection benefits

In another case of consultation, a statement was requested whether a school district is under an obligation to issue data of how many children attend individ- ual junior classes of a primary school and altogether how many children receive regular child protection allowance (hereinafter: RGYK) in the individual classes of the individual grades. It was also asked which organs process the data con- cerning regular child protection allowance. Earlier, the School District issued the number of children attending the individual classes; however, they stated con- cerning the regular child protection allowance that they are not controllers with regard to these data and that in their view, a given natural person (student) can be traced back and identified from the cumulated statistical data. The Authority took the position that the cumulated statistical data, which do not contain per- sonal data, are data of public interest, access to which may not be restricted by the provisions of Sections 28-30 of the Privacy Act. Based on the provisions of Act XXXI of 1997 on the Protection of Children and the Administration of Guardianship, the guardianship administration, the municipality or the operator process the data concerning the data on regular child protection allowance with regard to any child. The guardianship administration establishes entitlement to the regular child protection allowance, hence the primary controller of these data is the guardianship administration, so requests for data of public interest with re- gard to these data should be submitted to the guardianship administration. The municipality and the educational institution itself can provide information on data related to school meals. Since, in practice, tasks related to catering and invoic- ing are carried out by the educational institution or a local service organisation, (or other organisation providing for public meals or school meals), these organs and organisations also process data on entitlement to meals at preferential rates, hence they are under an obligation to fulfil requests for data of public interest. (A request for data of public interest may also be submitted to the municipality, the school district or the school for the identification for such an organisation.) In the case under investigation, the School District processed the data concerning the regular child protection allowance, while the guardianship administration or the municipality do not process the data on which child attends which class, so they would not be able to answer some of the questions posed in the data request. [NAIH-6566/2023]

11.6 Data supporting class division

The Authority took the contrary position in a case when a data request was made for accessing the data supporting the division of class in an anonymous statis- tical statement. With regard to each student of two classes, the sex, age, place of residence, average study score in the preceding year, the foreign language studied was separately asked for each student and also whether the student benefitted from the regular child protection allowance, whether the student was underprivileged, particularly underprivileged and whether the student had an in- dividual study plan. According to the Authority’s position, compliance with a data request of this kind could violate the individual student’s right to the protection of personal data, because in this way the individual students could be identified (e.g. if the place of residence of only one student is in a given settlement or the age of only one of them differs from that of the others, etc.) Because of this, the data requested can be accessed only in cumulated form for each class and not separately for the individual students. [NAIH-8194/2023.]

11.7 Transparency concerning the E-kréta breach

With regard to the data breach affecting the internal IT systems of eKréta Informatikai Zrt., Educational Development Informatikai Zrt. (because of the change in the name of eKréta Informatikai Zrt. on 20 April 2023) informed the Authority that the company notified every controller of the data breach affect- ing the company, including the fact that the data breach affected not the KRÉTA system but only the internal IT systems of eKréta Informatikai Zrt. in the form of a message on the “notice board”9 used in the Kréta system. Under its investiga- tion, the Authority established that the company violated the notifier’s rights to the protection of personal data and access to data of public interest (two data categories requested) when it has failed to answer the notifier’s letter concerning the exercise of data subjects’ rights and request for data of public interest since 13 November 2022. When dealing with the large number of requests received in connection with the data breach and due to the workload on the company, they unfortunately failed to answer the notifier’s letter. The Authority appreciated the company’s argument that it was not in a position to answer certain questions for reasons of data and information security as access to this information and/or their disclosure to the public could greatly increase data security risks and could contribute to malicious activities by persons/organisations planning unauthor- ized attacks/intrusions. [NAIH-4794/2023]

11.8 Public evaluation of institutions of public education

In response to a notification submitted in relation to a kindergarten evaluating website, the Authority informed the notifier that having examined the website, the Authority did not find any unlawfully disclosed personal data and the identifica- tion and access data of the kindergarten shown in the website objected to cor- responded to the data shown on the oktatas.hu website and the kindergarten’s own website. The Authority has no powers to take action concerning the publi- cation of opinions on the kindergarten, as such opinions and evaluations belong to the sphere of freedom of expression; the courts have powers to take action in relation to them based on the Acts on the Civil Code and the Criminal Code. [NAIH-8645/2023]

11.9 Tertiary education – the accessibility of theses

In one of the cases on tertiary education, the Authority responding to the consul- tation question of the data protection officer of a university explained its position concerning the accessibility of theses, having invited the opinion of the Ministry of Culture and Innovation (KIM). The regulatory environment changed substan- tially in 2022 – it is no longer an autonomous decision of the institutions of ter- tiary education how they publish theses; they must be made accessible without restriction to anyone with regard to theses made after 28 May 2021. According to KIM, the term “without restriction” means that a person wishing to have access to a thesis must not face unreasonable difficulties or costs. An institution of tertiary education may enable access and searchability in other suitable ways, for in- stance, through a computer installed in its library, if the thesis is otherwise stored in the study system; the rules generally applicable to the use of the library (open- ing hours, eventual reasonable fee payment obligation for non-students) do not qualify as restrictions. According to the Authority’s position, the right to access may be restricted to inspection only in view of the right to intellectual property; the person wishing to access a thesis may not request the institution to make a copy of the paper. [NAIH-5259/2023.]

11.10 Contracts concluded by the operator

A notifier objected to the fact that although he submitted a request for data of public interest to the Foundation for […] University asking, inter alia, about the purchase price that the Foundation paid for the […] Medical Center Kft. and the […] Medical Invest Kft., which remained unanswered within the period open for this and beyond.

According to the Authority’s position, the foundation as an entity funded from public funds, managing public funds and performing public duties is subject to the scope of the Privacy Act. A trust foundation with a public-service mission (hereinafter: KEKVA) is an organ performing public duties in every case both with a task-oriented and an asset-oriented approach. The assets that KEKVA manages and increases are public assets. Therefore, the Foundation’s capacity as an organ performing public duties can be established unconditionally and in every case with an asset-oriented approach. With regard to data of public inter- est, those subject to the obligation to inform have to do so equally because they perform public tasks and because they manage public funds. In the course of the Authority’s investigation, the Foundation declared that although the Foundation was the operator of the University, the University and the Foundation were two separate legal entities and they qualify as two separate controllers with regard to processing data of public interest. It was not the Foundation, but the University that was involved and acted in the legal transaction concerning the purchase of the exclusive business of the Kft., and the indirect property of […] Medical Center Kft., therefore only the University has the data concerning the transac- tion and the University is the controller. Unfortunately, however, the Foundation failed to notify the requesting party of this fact in a lawful manner and simply left the data request without response. As a result of the Authority’s investigation, the Foundation forwarded the data request to the competent organisational units of the University. [NAIH-5650/2023]

12. The transparency of the judiciary – data accessibility practice of the courts, MBVK and bailiffs...

Among the submission received this year, some consultation submissions af- fected the courts and complaints against the Hungarian Association of Judicial Officers.

12.1 Submissions concerning the courts

A consultation request concerning the accessibility of court judgments asked whether a judgement and its justification could be made public without names and addresses with a view to informing the membership of a trade union. The Authority took the position that the statements made by the persons concerned in a court procedure, the testimony they gave, their behaviour in the case at is- sue (an incident involving wrangling) and the fact that the court qualified their testimony as “questionable” are all data, which are not related to their performance of public duties, particularly when, as employees, they do not act with- in the scope of the functions and powers of the organ (e.g., janitors, security guards). The data of a court procedure, which in themselves cannot be associ- ated with natural persons, qualify as data of public interest so long as the data do not/could not become personal data, i.e. a natural person cannot be associ- ated with or by the data and his right to informational self-determination is not infringed through it, or its direct threat cannot arise (e.g., the case number of the lawsuit). A problem may arise from the connection of the data, which enables the identification of natural persons. The connection of an anonymised court deci- sion with natural persons in any way – for instance, by disclosing the name of the respondent company in order to indirectly infer the identity of the persons in- volved in the lawsuit – would already amount to data processing, which is subject to the objective scope of the GDPR. [NAIH-9453/2023]

It is worthwhile to mention a case of investigation, in which the notifier initiated the investigative procedure of the Authority because a court rejected compli- ance with his request for data of public interest for sending copies of answers to requests for data of public interest submitted to the court during a given period. The Authority pointed out that upon receipt of the request for data of public inter- est, the court considered, in view of the provision in the first sentence of Section 86(1) of Decree 14/2002. (VIII.1.) on the rules of court administration (hereinafter: Court Administration Decree), whether the notifier can be regarded as an inter- ested party in accessing the data of public interest, is contrary to the social pur- pose of the fundamental right because, according to Section 29 of the Privacy Act, “anyone” can request data; the controller may not examine his identity or the purpose of requesting the data. In several of its published decisions, the Curia held that the petitioner’s request for issuing “documents” related to himself does not constitute a request for data of public interest as it does not and cannot serve the transparency of public affairs, and therefore it does not meet the re- quirements for a request to access data of public interest. (Pfv.IV.20.419/2021/6., published in: BH2022.16., Pfv.IV.21.269/2022/5., Pfv.IV.20.008/2023/4.) Under Section 1(2) of the Court Administration Decree, its rules are to be applied in the absence of different provisions of separate legal regulations, in view of which the Authority stated that it should be considered in each case whether a different provision of a legal regulation should govern the given case, or the provision of the Court Administration Decree under investigation. The Authority pointed out that in its view it may be established that the restrictive rules in the provisions of Section 86(1) of the Court Administration Decree do not at all govern the grant- ing of requests of data of public interest, i.e. with regard to data of public interest, because the Privacy Act sets forth different provisions concerning the accessi- bility of the documents.

Even if the provisions of Section 86(1) of the Court Administration Decree were applicable, these provisions should be applied in view of the provisions of Section 1(3) of the same decree, which requires compliance with the provisions of the Privacy Act in the course of case administration. A different interpretation of the law would lead to the conclusion that the president of the court should decide on granting a request for data of public interest within his discretion according to the last sentence of Section 86(1) of the Court Administration Decree, but the presi- dent of the court would naturally be bound by the provisions of the Privacy Act concerning compliance with requests for data of public interest in the course of his deliberations. This means that the president may only refuse to comply with the request for data of public interest, if the reasons for refusal according to the Privacy Act obtain, i.e. similarly to the head of any other organ performing pub- lic duties, he may carry out the deliberations only within the provisions of the Privacy Act.

In both of the above interpretations of the law, the president of the court has the discretion to decide whether to grant or reject the request for data, but he may only make his decision on the basis of the provisions of the Privacy Act and not by disregarding them, i.e. not exclusively on the basis of Section 86(1) of the Court Administration Decree. Based on all this, the Authority called upon the court to comply with the data request, which the court did. [NAIH-7830/2023]

12.2 Judicial enforcement

This year, again, the Hungarian Association of Judicial Officers (MBVK) was the controller in most cases related to the judiciary. MBVK regularly disputes the po- sitions taken by the Authority supervising the enforcement of the right to access data of public interest, it fails to meet the Authority’s calls, or fully leaves its re- quests unanswered. Unfortunately, most of the cases affecting MBVK end up in court, where the requesting party can have access to the data of public interest desired since the judgment of the court can be enforced through the coercive power of the state. The chapter on court decisions details the court judgments concerning MBVK as respondent in cases related to the freedom of information.

The subject matter of a complaint affecting MBVK was the list of grants and expenditures for the development of MBVK’s information systems annually between 2016 and 2022 and the list of its contracts concluded since 2017 amount- ing to at least five million forints net.

MBVK rejected the disclosure of the data by stating that it does not keep records on the distribution of the development costs of its various IT systems in an an- nual breakdown. They stated that they could not comply with the data request as that would require the generation of new data. MBVK rejected the request to issue the list of contracts concluded since 2017 of at least five million forints net and the list of companies with which it concluded contracts in excess of five mil- lion forints in 2021 and 2022, declaring that they do not record the requested data as “collected data”.

The Authority consistently held that the performance of simple IT queries and mathematical operations (sums) do not qualify as the generation of new data and ordering them in a table does not qualify as “the generation of new records”. To comply with the data request constituting the subject matter of this case, there is no need to exceed the level of simple IT, mathematical or other operations that do not present any substantial difficulty. Therefore, MBVK has to answer the questions posed in the data request concerning their financial management and spending. The Authority also opined that the data of public interest desired to be accessed would provide important information also for the Hungarian so- ciety, promote the transparency of MBVK, whose reputation has been tarnished by corruption and criminal procedures and strengthen public confidence in the functioning of MBVK, the Hungarian state and the judiciary.

With reference to court judgment 69.P.22.423/2023/3, MBVK informed the Authority that it had sent the list of its contracts of at least one million forints net concluded since 2017 in a structure required by the data request. They also stat- ed that they never received any grants to develop their IT systems and with re- gard to the amounts spent on the development of IT systems, they insisted that the provision of the requested data would involve not merely sums and deduc- tions, that they did not have these data and to comply with the data request, they would have to label all their supplier invoices and wage-type costs in their books,

i.e. they would have to indicate the purpose for which any given cost item was used. [NAIH-44-2023.]

In another case affecting MBVK, the requesting party wished to access the data, which would reveal which bailiff positions were vacant at the time of the data re- quest and since when and for how long individual bailiffs have been in their po- sitions.

MBVK informed the requesting party that he can search an up-to-date register of the currently authorised independent bailiffs on mbvk.hu/nevjegyzek. If a posi- tion is vacant, an independent bailiff temporarily designated to perform the task takes action as substitute bailiff. In these cases, the person authorised to take action is shown as follows: XY permanent substitute (title of assignment) instead of YX independent bailiff. In addition, they also sent the link to a summary Excel table available under the menu “Addresses of bailiffs’ offices”.

MBVK rejected the part of the data request asking about the date of assigning permanent substitutes, stating that these data are processed in the public reg- ister according to Section 250/A(5) of Act LIII of 1994 on Judicial Enforcement (Judicial Enforcement Act). MBVK held the view that based on Section 28(8) of the Privacy Act, the general rules of requests for data of public interest can- not be applied to provide data from the authority records; data from these re- cords may be provided in a manner regulated in a separate act. In view of the fact that the Judicial Enforcement Act only provides for the obligation to forward data as a sectoral rule for cooperating organs with powers to supervise compli- ance or performing tasks of an authority or court, and according to Section 33 of the General Administrative Procedures Act, a third person may inspect the re- cords if he verifies that his access to the data is necessary for the enforcement of his rights or meeting his obligations based on legal regulation or decision of a court or an authority, the data request in this matter cannot be complied with in MBVK’s opinion.

The Authority could not accept the statements made by MBVK in the course of its investigation and it declared in its call that the vacancy of bailiff positions is data of public interest under Section 3(5) of the Privacy Act, while the date of the assignment of permanent substitutes is data accessible on public interest grounds based on Sections 3(6) and 26(2) of the Privacy Act. As the name of the permanent substitute and the date of his assignment qualify as other personal data related to the performance of the public duties of bailiffs, they are accessi- ble as data accessible on public interest grounds. The vacancy of bailiff positions constitutes data of public interest in the service of the transparency of public af- fairs that are important for public opinion, whose accessibility is not part of pro- viding individual data from the register.

The position of the supervisory organ of MBVK, the Supervisory Authority for Regulated Activities (SZTFH) was also that the data listed in Section 250/A(2) – except for those specified in Section 250/A(1) of the Judicial Enforcement Act – can be issued when requested.

According to the Authority’s position, information concerning data of public inter- est or data accessible on public interest grounds cannot be refused stating that the requested data otherwise constitute part of a public register. (Similarly, ac- cessibility of data concerning national assets, real estate and business quotas held by the state or a municipality cannot be excluded with reference to the trade register or the land register as public registers, etc.)

In view of the fact that the positions of the Authority and of MBVK have not come any closer with regard to the accessibility of the data constituting the subject mat- ter of this case, the Authority called upon the Supervisory Organ of Regulated Activities to conduct an investigation whether MBVK interprets the relationship between the Judicial Enforcement Act and the Privacy Act in accordance with the legal regulations. Furthermore, the Authority issued a recommendation to the SZTFH, inter alia, on the fact that, as independent bailiffs (and substitute bail- iffs) are persons exercising public authority and performing public duties, a law (preferably the Judicial Enforcement Act) should clearly state that they are under the subjective scope of Chapters III and IV of the Privacy Act and they are sub- ject to all the obligations related to the freedom of information, to which organs performing public duties are subject in general (making data of public interest and data accessible on public interest grounds accessible based on individual data request and the publication of data of public interest in accordance with the general publication scheme set forth in Annex 1 of the Privacy Act – expediently on the website of MBVK). [NAIH-5145/2023]

MBVK rejected the issue of data citing similar reasons also in a case inquiring into how many cases were assigned to the individual bailiffs in the independ- ent case assignment system and exactly which bailiffs’ offices were supervised in 2019, 2020, 2021 and 2022 and what were the results of these supervisions. In this case, MBVK also stated that the data request was self-serving, however, the Authority resolutely deemed that the data request submitted by the request- ing party was not self-serving, it fully met the social purpose of exercising the right to access data of public interest. The corruption and criminal procedures involving MBVK naturally give rise to a great deal of interest on the part of the public, resulting in the public’s demand for increased transparency in the opera- tion of MBVK. In the course of its investigation, the Authority found that MBVK processed the data of the independent case assignment system and it should be able to determine by using simple IT query operations how many cases were as-signed to the individual bailiffs and how many cases were reassigned from the logged data, the electronic public register and the central register of judicial en- forcement cases.

MBVK did not state how long these logged data are retained but the fact that it failed to comply with the data request since 30 May 2022 has definitely caused a substantial encroachment on the rights of the requesting party to access data of public interest by infringing the requirement of timeliness and also because of the limited retention period of the data it processes, if some of the data had al- ready been erased.

The responses by neither MBVK, nor SZTFH revealed any justification for re- stricting accessibility, on the basis of which the data request could be reject- ed. This means that if the data are electronically available and can be retrieved from the databases processed by MBVK using simple IT query operations, the request for data of public interest must be complied with. To comply with the data request, it suffices, if the data sought in the data request can be queried in MBVK’s IT systems; the data request may not be rejected stating that MBVK “does not keep such records”.

The fact and the results of supervision involving bailiffs qualify as other per- sonal data related the performance of public duties by the bailiffs pursuant to Section 26(2) of the Privacy Act, hence they are accessible as data accessible on public interest grounds. The requesting party did not ask for access to the full documentation of investigations, supervisory reports or disciplinary procedures, together with the personal data of the persons participating in judicial enforce- ment procedures and those concerned in such procedures as MBVK interpret- ed. The data request can be complied with just by answering the question of the requesting party by issuing the personal data of the bailiffs accessible on public interest grounds without issuing the personal data of the other participants of ju- dicial enforcement or of the full documentation.

In Hungarian law on transparency, the data principle applies instead of the docu- ment principle: under Section 30(1) of the Privacy Act, if a document containing data of public interest contains also data to which access by the requesting party is not permitted, the data that must not be accessed shall be made unrecogniz- able on the copy, i.e. the issue of the entire document cannot be refused with ref- erence to the fact that it also contains data that must not be accessed.

Contrary to the view of MBVK the fact that sectoral regulation does not set forth an obligation to disclose the audits carried out by MBVK does not mean that the relevant data would not be accessible and issuable as data of public interest. In view of the fact that the positions of MBVK and the Authority have not come any closer even after the Authority’s third call, unfortunately the requesting party has to turn to the courts also in this case in order to have access to data of pub- lic interest, which is according to the Authority’s position accessible to anyone. [NAIH-4488/2023]

This year, there was a case in which MBVK interpreted the notifier’s request for data of public interest as an exercise of data subject’s rights.

In his request for data of public interest, the notifier wished to learn how many complaints were submitted to MBVK, because the bailiff failed to return the full auction deposit to unsuccessful bidders after the completion of the auction or its cancellation over the past five years, in a breakdown by years. MBVK interpreted the data request as a request for exercising the data subject’s right to access un- der Article 15 of the GDPR and informed him that on 10 March 2023, he was not shown as a debtor in the electronic public register kept on cases of judicial and administrative enforcement administered by independent bailiffs according to Section 253/E(1) of Act LIII of 1994 on Judicial Enforcement. In the course of the Authority’s investigation, MBVK declared that it interpreted the request for data of public interest as exercise of the right to access because of “an administrative error arising from a filing mistake” and following the receipt of the Authority’s let- ter, it rectified the erroneous provision of data for the notifier. [NAIH-8721/2023]

The concerns of the Authority related to the portal used by MBVK to comply with data requests are detailed in a separate subsection of the report on this issue.

13. Other organs performing public duties, NGOs performing public duties, organisations providing pu...

The Authority published information on the organs that are subject to the scope of the Privacy Act accessible through the link https://infoszab.hu/node/183 on the website https://infoszab.hu/, which was created as a result of priority project entitled ADMINISTRATIVE DEVELOPMENT OPERATIONAL PROGRAM”-2.2.6.-COMPETITIVE CENTRAL HUNGARY OPERATIONAL PROGRAM-2019-00001 “SURVEYING AND IMPROVING THE EFFICIENCY OF THE DOMESTIC PRACTICE OF THE FREEDOM OF INFORMATION”. This information was published in view of the fact that the Authority received a substantial number of notifications every year on non-administrative organisations performing public duties and/or managing public funds because certain business organisations held by the state or municipalities, other non-profit organisations backed by the state or municipalities, public bodies, public foundations and insti- tutions of tertiary education failed to meet requests for data of public interest be- cause in their view, the provisions of the Privacy Act governing compliance with requests for data of public interest do not apply to them.

The Authority found the following in relation to requests for data of public interest submitted to a limited company (hereinafter: Ltd) functioning as the sole share- holder of a foundation (hereinafter: Foundation) founded by the state subject to Act IX of 2021 on Trust Foundations with Public-service Mission (hereinafter: Trust Foundations Act).

Based on the data in the trade register, the Hungarian state used to be the sole shareholder of the Ltd; then, the Foundation became the sole shareholder of the Ltd. The Foundation performs public duties according Annex 1 to the Trust Foundations Act, it is founded with public funds, it manages public funds and performs public duties, hence it is subject to the Privacy Act. The same applies to the Ltd, as it was also founded with public funds, it has been managing pub- lic funds and it is involved in the performance of public duties to be carried out by the Foundation. In view of this, it is the Authority’s position that if the Ltd re- ceives a request for data of public interest and the company processes the data requested, it has to comply with the data request; if, however, the data request submitted to the Ltd is for data which can only be found in possession of the Foundation, the company has to provide information about the identity of the controller. [NAIH-5917/2023; NAIH-7325/2023]

In another case, a company also failed to comply with a request for data of pub- lic interest for sending copies of contracts concluded by and between the com- pany and the Foundation, because in their view, they did not qualify as an organ performing public duties under the Privacy Act. The Authority pointed out that the Foundation’s church background was irrelevant, because it performed public duties though its activities, while the company was involved in the performance of this public task through the contract concluded with the Foundation. The fi- nancial background for the company’s operation stems not only from its com- mercial activities, but partly from performing the contracts concluded with the Foundation. According to the Authority’s position explained in this case, it was not necessary to “transfer” the public duties from the Foundation to the company, it suffices that the company collaborated in the performance of the public duty for having to make the data related to the performance of the public duties available to the requesting party based on the Privacy Act. [NAIH-5436/2023]

In another case, the Authority pointed out with respect to a Foundation that pur- suant to Section 2(6) of Act III of 1993 on Social Governance and Social Benefits (hereinafter: Welfare Act), the development and provision of the framework of op- eration for the system of welfare institutions and measures are tasks of the state and of the municipality. When performing their duties related to providing the conditions of welfare care, the state and the municipality cooperate with church organisations and NGOs. Pursuant to Section 120 of the Welfare Act, a munici- pality may provide welfare services or services to enforce the right to rest also by way of contracts of care concluded with church organisations, other non-state organs, church or non-state operators. A Foundation was authorised through a contract of care concluded with a municipality to operate a home for the elder- ly providing comprehensive care for them in a property held by the municipality whereby the Foundation took over the performance of this municipal task. In the course of providing welfare services, the municipality and the Foundation – the latter up to its tasks taken over from the municipality based on contract – are un- der an obligation to guarantee the enforcement of the freedom of information, i.e. to make data of public interest and data accessible on public interest grounds ac- cessible to anyone. In view of all this, the Authority called upon the Foundation to comply with the request for data of public interest. [NAIH-86/2023]

In the context of a data request lodged with another Foundation, the Authority agreed with the Foundation that the requesting party misinterpreted a legal reg- ulation, which was the reason for his opinion that the Foundation inadequately complied with his data request. The reason for this is that the framework agree- ment specified under Section 20(1) of the Trust Foundations Act is not the same as the contract financing public duties under Section 18(1)(e) of the same act. Finally, the Foundation sent copies of both agreements to the requesting party. In the same case, the Authority established in the context of compliance with a data request for decisions of the Board that the Foundation violated the request- ing party’s right to access data of public interest when it wished to ensure access to them exclusively by way of inspection stating that the decisions also contained data concerning its commercial and business activities. The Authority pointed out that the accessibility of full documents cannot be restricted under the docu- ment principle and the requesting party is entitled to request a copy of the docu- ments according to Section 29(3) of the Privacy Act in view of its Section 30(1). [NAIH-29/2023]

A company rejected a request for data of public interest submitted concerning the use of a priority state sports facility asking for the detailed presentation of the revenues of the facility for several years in a breakdown by events and the detailed presentation of warranty repairs, citing its market interests and possible competitive disadvantage. The Authority pointed out that, in general, reference to a competitive disadvantage is inacceptable in the context of the utilization of facilities operated by the state. There is an outstanding interest in learning what revenues result from the utilisation of facilities operated by the state. If the com- pany is worried that the requesting party would incorrectly evaluate the revenue data by themselves, it has the opportunity to send supplementary information, so as to enable the requesting party to evaluate the totality of the data made avail- able to him and develop his position in this way. Drawing correct or, according to the controller, incorrect conclusions from the data may not influence the con- troller in issuing or withholding information. The company has to disclose all the data available to it in a recorded form on warranty repairs even if the value of the warranty repairs is not included in its records, given that the repairs were carried out under warranty. [NAIH-46/2023]

Certain public transportation companies performing public duties did not com- ply with requests for data of public interest asking for daily and ad hoc reports (hereinafter: reports) citing various reasons for rejection. [The reporting obliga- tion towards the Transport Safety Body (hereinafter: KBSZ) is imposed on the companies by Act CLXXXIV of 2005 on the Technical Investigation of Aviation, Railway and Marine Accidents and Incidents, Act CLXXXIII of 2005 on Railway Transportation and Decree 24/2012. (V.8.) NFM on the detailed rules of the tech- nical investigation of serious railway accidents, railway accidents and unexpect- ed railway incidents and of the operator’s examination.]

In the opinion of one of the companies, the daily reports do not include data of public interest as, in terms of extraordinary events, they contain information re- lated to several railway companies, undertakings and natural persons who can- not be associated with the state. The Authority found that the company qualifies as an organ performing public duties, the daily/ad hoc reports produced by it are held by the company and they relate to its activities and, furthermore, they were generated in the context of performing public duties, consequently they contain data of public interest.

The companies also stated that the reports were internal technical documents, work documents and they qualify as correspondence with KBSZ. According to the Authority’s finding, the requested documents were clearly not work documents, they were not made for internal use as they were sent to KBSZ. Sending the reports could not be regarded as correspondence as legal regulation re- quires that they be drafted and sent, they were not drafted in a letter format and they contained data of merit required by legal regulation.

The controllers also cited that the reports supported decision-making as they contained data required for the companies’ procedures, used for drafting the railway safety strategy, the annual testing schedule and the development of the business plan and their content also appeared in the documents on investigat- ing accidents. The Authority pointed out that for this restriction to comply with constitutional requirement, the relationship between the data supporting deci- sion-making and the future decision must be specific and direct, an abstract relationship to a decision cannot serve as a reason for restricting freedom of in- formation.

One of the controllers stated that the reports were available in a format, which also included personal data. The Authority called attention to the provisions of Section 30(1) of the Privacy Act, according to which, if a document containing data of public interest contains also data to which access by the requesting party is not permitted, the data that must not be accessed shall be made unrecognis- able on the copy. The Authority pointed out that the name and the unit dispatch- er making the notification indicated in the reports, the railway safety duty officer and the person receiving the report on the part of KBSZ qualify as data accessi- ble on public interest grounds, which can be disseminated if the principle of pur- pose limitation is respected. In view of the fact that the data request was for the content of the reports and not the persons making and receiving the notification, in view of the purpose-limited processing of personal data accessible on public interest grounds, the Authority recommended the blocking of the names of the notifier and the recipient in the documents. However, the Authority also called the attention of the company to the fact that if a data request is expressly aimed at the names of the notifier and the recipient, it is necessary to issue the required information calling on the requesting party to abide by purpose-limited process- ing. [NAIH-4613/2023; NAIH-4615/2023; NAIH-4529/2023]

In another case, the notifier initiated an investigation by the Authority in view of the rejection of a data request for accessing an internal auditor’s report closing an internal audit launched because of the delayed commissioning of a renewed facility. The controller answered the data request stating that all the current com- munications, news and information of the controller are available on the web- site, but the answer did not include any internet link and according to the finding of the Authority – which the controller also acknowledged – the requested data were accessible on the website. Then, the controller cited that they did not iden- tify the notifier’s letter as a request for data of public interest, in view of which the Authority called the controller’s attention to the need for assessing requests according to their content. After the Authority’s call, the controller rejected the data request with regard to the entire document citing Section 27(5) and (6) of the Privacy Act. The Authority then pointed out that: first, the two reasons for re- jection exclude one another, second, it is not permitted to cite these reasons in general, and third, the entire document cannot be qualified as data supporting decision-making. According to the repeated statement, the controller rejected the request in view of Section 27(6) of the Privacy Act, because issuing the re- sults of the internal audit to be accessed would jeopardise the performance of its functions and powers without undue external influence, in particular, the free expression of its views during the preparatory stage of decision-making con- cerning “various” renewals and investments. This means that in their repeated statement, the controller again cited “various” future decisions in general, they were unable to justify that access to the various data one-by-one would jeopard- ise their lawful operation or performance of their functions and powers without undue external influence, in view of which the Authority did not accept the con- troller’s answer. [NAIH-1279/2023]

Another company (hereinafter: controller) rejected compliance with requests for data of public interest concerning the operation of two of its terminated offices (fi- nancial management data, labour situation) also with reference to Section 27(6) of the Privacy Act and trade secrets. As, according to the controller’s statement, the financial data are accessible in the reports published on its website and the company provided the Authority with the requested information concerning the financial data and the data on the labour force not published on the website and gave reasons acceptable from the viewpoint of restricting the freedom of infor- mation and provided justification for the necessary and proportionate restriction of the freedom of information, the Authority accepted the controller’s answer and terminated the investigation based on Section 53(5)(b) of the Privacy Act. [NAIH- 961/2023]

In his request for data of public interest submitted to a company pursuing media activities (hereinafter: controller) the requesting party asked for the sound re- cording of an interview of a mayor broadcast live on a radio channel (hereinafter: sound recording). As grounds for rejection, the controller argued that the sound recording of the broadcast enjoys protection under copyright against its use by the requesting party with an unspecified purpose and content, possibly by high- lighting certain parts of the text in a different context. In response, the Authority pointed out that an organ or person performing public duties may not examine the purpose of the data request, hence it cannot be rejected on the grounds of the potential use of the data provided to the requesting party. The controller also cited that some of the broadcast information did not relate to the performance of the mayor’s public duties and were not accessible on public interest grounds. The Authority pointed out that when meeting requests, the data principle is en- forced, which means that the parts of the sound recording with regard to which there are justified reasons for excluding access as substantiated by the control- ler had to be edited or distorted by the controller prior to disclosure. The control- ler also argued that, with the possible editing of the sound recording, the content structure of the interview would be damaged, as a result of which the information in it would be distorted. The Authority pointed out that the Privacy Act – in view of the enforcement of the data principle – does not recognise damage to the integ- rity of a document, in this case a sound recording, as an impediment to access data of public interest or data accessible on public interest grounds. In view of all this, the Authority called upon the controller to meet the request for data of public interest in accordance with the requirements of the Privacy Act, and if the sound recording to be accessed also contains data subject to a restriction of access, those should be removed from the sound recording and the requesting party should be informed of the reasons for such removal. After this, the controller no- tified the Authority that according to Section 155(10) of Act CLXXXV of 2010 on Media Services and Mass Communications, it had to retain the sound recording for 60 days, hence in line with the controller’s practice it might have been erased during the procedure in progress before the Authority; however, this did not take place as a sign of its bona fide action. According to its notification, the control- ler following the Authority’s call ensured wider access than that required by the call and published a sound recording at a URL address accessible to anyone; however, after two weeks of accessibility it finally erased it. However, the con- troller failed to notify either the requesting party or the Authority of having made the sound recording public. In view of the above, the Authority issued a report concerning the controller’s infringement of the freedom of information because the controller not only failed to grant the requesting party’s fundamental right to access data of public interest or data accessible on public interest grounds, but it made it impossible to have any access to the data to be accessed by the re- questing part. [NAIH-2665/2023]

14. Consultative procedures

14.1 Access to data of public interest generated while exercising the powers conferred on a mayor

A citizen requested information from the Authority whether a municipal repre- sentative of the settlement or the body of representatives may request specific information and regular reports from the mayor on the relevant procedures con- ducted by him if the body of representatives delegates its powers defined in Act LXXIV of 2016 on the Protection of the Visual Environment of Settlements to the mayor by municipal decree.

The Authority informed the petitioner that Section 42 of Act CLXXXIX of 2011 on Local Governments of Hungary (hereinafter the Municipalities Act) provides for the non-transferable powers of the body of representatives. However, according to Section 41(4) of the Municipalities Act, “the body of representatives may dele- gate its powers to the mayor, its committee, the body of the sub-government, the municipal executive, its association, with the exceptions provided for in this Act. It may give instructions for the exercise of these powers and it may revoke these powers.” In the Authority’s view, therefore, if the body of representatives wish- es to request information or a report from the mayor on the procedures carried out by the mayor in the field of applying the instruments for the protection of the visual environment of the settlement, it may lawfully do so. [NAIH-5605-2/2023]

14.2 Making video and audio recordings at the meetings of municipal representatives

The Authority was asked in a consultation submission for its opinion on making video recordings of public meetings of the body of municipal representatives. The Authority is of the opinion that participation in public meetings of the body of representatives or committees and in an official capacity constitutes appear- ance in public within the meaning of Section 2:48(2) of the Civil Code, which does not require the consent of the person concerned for making and using the recording under the legal provisions quoted. Similar treatment applies to third persons who may speak at a public meeting, such as invited persons, persons concerned and the audience itself. It should also be emphasised that pursuant to Section 46(1) of the Municipalities Act, the meetings of the body of representa- tives are open to the public. Derogation from this may only be possible pursuant to Section 46(2) and (3). Section 52(1) and (2) of the Municipalities Act, minutes shall be taken of the meetings of the body of representatives, which minutes shall be signed by the mayor and the municipal executive. The minutes constitute a public document. The following provision is also contained in Section 46(3): “The voters may inspect the proposals and minutes of the meetings of the body of rep- resentatives, except in the case of closed meetings. The opportunity to inspect data of public interest and data accessible on public interest grounds shall also be provided in the case of a closed meeting. The decision of the body of repre- sentatives taken in a closed session shall also be public”. Pursuant to Section 2(2) of the Municipalities Act, local self-government expresses and implements local public will in local public affairs in a democratic manner by creating broad publicity. This includes the right to make visual and/or audio recordings and that the participants must tolerate the making of visual and/or audio recordings at the public meetings of the body of municipal representative and at the commit- tee meetings.

The events of the public meetings of the body of representatives and the commit- tees, as well as the minutes, visual and audio recordings of the meetings consti- tute data of public interest and data accessible on public interest grounds, which may be accessed by anyone, pursuant to Section 3(5) and (6) of the Privacy Act. Therefore, from the point of view of freedom of information, the minutes and the visual and/or sound recordings are treated in the same way, i.e. they are public and may be published on the Internet or on bulletin boards. Statements made by the municipal representatives at a public session of the body of representatives, as well as other personal statements, are also public statements, so in the case of public sessions, the contributions are also public. [NAIH-3232-2/2023]

14.3 Access to payment vouchers for a person performing public duties

An applicant has repeatedly requested information from the Authority on whether a municipal executive of a large village has lawfully refused to respond to a re- quest for data of public interest. The complainant requested the Mayor’s Office to send an electronic copy of the receipt for the repayment of the funeral allow- ance to the Office’s cashier, indicating the legal title for the repayment. The mu- nicipal executive refused to reply to the request for data of public interest, on the grounds that the data requested did not constitute budgetary support within the meaning of Section 1(14) of Act CXCV of 2011 on Public Finances (hereinafter the Public Finances Act) and were therefore not data accessible on public inter- est grounds. The Authority has provided information on the fact that Section 179 of the civil Servants Act classifies the personal data of a government official as data accessible on public interest grounds. The amount of regular, ad hoc, cash and in-kind benefits paid to managers, such as allowance in lieu of leave, bonus- es, substitution payments, earnings supplements and special benefits, are per- sonal data generated in connection with the performance of public duties, and can be accessed by anyone, so the controller is obliged to fulfil this part of the data request, broken down as requested. However, the allowances provided un- der Section 152(1) of the Civil Servants Act are paid to the government official by the organ performing public duties with regard to events and life situations that may be related to the private sphere, so they may only be disclosed in a break- down by name with the consent of the persons concerned and, therefore, in the absence of consent, they may only be disclosed in aggregate form, as data of public interest related to the management of the organ performing public duties. Following the consultation response, the complainant initiated an investigation procedure. [NAIH-9371/2023]

14.4 Grating access to and disclosing asset declarations

A citizen asked the Authority whether it was lawful for the municipality not to send him a copy of the declaration of assets of the municipal representatives and the mayor in response to his request for data in the public interest, but he would have been given access to review the requested documents at a pre-ar- ranged time.

In the Authority’s view, pursuant to Section 29(3) of the Privacy Act, the notifier may receive a copy of a document or part of a document containing the data, regardless of the mode in which it is stored. The organ performing public du- ties that handles the data may set a reimbursement for the fulfilment of the data request up to the amount of the costs incurred in connection with the request, if the costs incurred exceed the lowest amount of the reimbursement set in the Government Decree, provided that the amount of the reimbursement so set may not exceed the highest amount set in the Government Decree. The amount of the reimbursement and the options for fulfilling the request for data not requir- ing copying shall be communicated to the notifier within 15 days of receipt of the request.

With a view to Section 29(3) of the Privacy Act, it is only possible to fulfil a re- quest for data of public interest by inspection if it is accepted by the applicant. However, the Authority also drew the complainant’s attention to the fact that, pursuant to Section 29(1a) of the Privacy Act, the organ performing public duties that handles the data is not obliged to comply with the part of the data request which is identical to a data request for the same data set submitted by the same applicant within one year, provided that there has been no change in the data in the same data set. [NAIH-6676/2023]

14.5 The mayor’s representation account

Has the municipal executive acted lawfully when he did not send the data re- quested by the notifier as requested? The complainant requested the disclosure of the costs of representation for a specific period in a table format, broken down by year, indicating the issuer, date and amount of the invoice or receipt. The mu- nicipal executive did not reply in the form, with the breakdown and the data con- tent requested, within the legal deadline.

The Authority informed the complainant that, as this concerns the use of public funds, transparency and verifiability are of paramount importance as a matter of public interest. At the same time, freedom of information and the right to infor- mational self-determination must be enforced in relation to each other, so in de- termining the scope of other personal data relating to the performance of public duties [Section 26(2) of the Privacy Act], it must be taken into account whether their disclosure would not disproportionately infringe the right to privacy. The amount of regular and ad hoc benefits paid to managers in cash and in kind, such as allowance in lieu of leave, bonuses, substitution payments, earnings supple- ments and special allowances, are personal data generated in connection with the performance of a public duty and can be accessed by anyone, so the con- troller is obliged to fulfil this part of the data request, broken down as requested. [NAIH-7093/2023]

14.6 Right of access to data by municipality representatives in the context of financial management

Two municipal representatives asked the civil servant of the branch office to make copies of all the bank account statements and related documents of the municipality for the period from January to September 2023 and to hand them over to them. The request for a decision was to ask whether a copy of the full fi- nancial documentation could be released to the representatives and, if so, un- der what conditions or with what restrictions. Also, an objection was made to the fact that the representatives made their request for data orally to the civil servant and not to the mayor “in accordance with the provisions of Section 32(1)(f) of Act CLXXXIX of 2011 on the Municipalities of Hungary”.

In the Authority’s view, pursuant to Section 32(2)(b) of the Municipalities Act, a municipal representative may request information on matters of the municipality from the mayor (deputy mayor), the municipal executive and the chairman of the committee, to which a substantive reply must be given at the meeting of repre- sentatives or in writing within thirty days at the latest, and he may request infor- mation necessary for the work of the representative from the mayor pursuant to Section 32(2)(f). In matters of public interest, he may request the mayor to take action, to which he must reply in substance within thirty days.

The mayor is therefore obliged to give the representative a substantive answer to the questions addressed to him in accordance with the law, and in the event of failure to do so, the competent Government Office exercising legal superviso- ry powers pursuant to Section 1(2) and 127 of the Municipalities Act may initiate measures pursuant to Section 132 of the Municipalities Act.

On the other hand, under the provisions of the Privacy Act, municipal representa- tives have no extra rights, i.e. they can access data of public interest or data ac- cessible on public interest grounds under the same conditions as anyone else. Personal data, with the exception of personal data accessible on public interest grounds, cannot be disclosed to them at all in the absence of a legal basis. In the present case, it is not the right of access to data of public interest that has been infringed, but the specific right of access of municipal representatives, as detailed above. In the light of the foregoing, the Authority is not entitled to deter- mine the scope of the right of access of municipal representatives, it is a matter for the Government Office to assess. [NAIH-8976-2/2023]

14.7 Access to extracts from the general ledger of a publicly owned company

A municipal representative submitted a complaint to the Authority because a company wholly owned by the municipality failed to comply with its requests for data of public interest concerning the company’s general ledger extracts and general ledger files for the years 2021 and 2022, which he considers to be enti- tled to receive as a municipal representative, as he would be able to review the company’s financial management in detail on the basis of the requested data.

Pursuant to Section 30(7) of the Privacy Act, the provisions of separate laws ap- ply to the disclosure of data for the purpose of comprehensive, account-level or itemised audit of the financial management of organs performing public duties. In the present case, the Authority came to the conclusion that the data in question, which, according to the notifying party’s declaration, was also requested in order

to obtain full knowledge of the financial management of the company, constitute a comprehensive, itemised audit as it covers the entire financial management of the company over two years. Since the request for data must be fulfilled pursu- ant to Section 30(7) of the Privacy Act only if the request can be distinguished from the checks on the expediency, efficiency and legality of the financial man- agement of organs performing public duties – since separate bodies are entitled to carry out such checks – the Authority found it lawful to reject the request for data of public interest. The full text of the resolution is available on the website. [NAIH-6367-2/2023]

14.8 Criminal information that may be provided by the mayor

The mayor of a municipality requested information from the Authority on the lawful way of informing the body of representatives and the public. In 2019, af- ter his election, a series of indications of misappropriation were uncovered in the Office, and the municipality filed a report against an unknown perpetrator. According to the District Court, a former employee of the Office was convicted of the crime of continuous embezzlement and the former mayor and his associates were charged by the District Prosecutor’s Office with the crime of budget fraud causing substantial financial loss.

Section 179 of the Civil Servants Act classifies the name and other personal data of a government official as public data accessible on public interest grounds. The freedom of information and the right to informational self-determination must be enforced with respect to each other, so when determining the scope of other per- sonal data in connection with the performance of a public task [Section 26(2) of the Privacy Act], it must be taken into account whether their disclosure would not disproportionately infringe the right to privacy. The Authority also drew the Office’s attention to the fact that, where another person is involved in the pro- ceedings or in the judgment at first instance, disclosure of personal data beyond those generated in the context of the performance of the public task of the per- son performing the public task and of personal data relating to a third party is un- lawful. In providing information and disclosing data, attention should also be paid to whether judgments have become final, whether the processing and disclosure of personal data accessible on public interest grounds in the course of ongoing proceedings does not violate the presumption of innocence, and to the neces- sity and proportionality of the processing of personal data of the data subjects. The responsibility for the lawfulness of the processing of personal data lies with the controller (the person who takes and implements the decision) and it is not replaced by a position of the Authority.

While the information provided to the body of representatives – in the case of a closed meeting – can be considered as transmission of data, the information pro- vided to the public constitutes disclosure of data. It follows from the above that in the case of a request for data of public interest, the Office is obliged to process and provide information on the data it holds in accordance with the relevant pro- visions of the Privacy Act and the GDPR. [NAIH-9210/2023]

14.9 Use of images, exercise of data subject rights in the context of freedom of the press

A citizen requested information from the Authority regarding a complaint about data processing by the editorial board of a major news portal, in which the Authority did not launch an investigation and the notification was rejected without examining the merits of the case on the basis of Section 53(3)(a) of the Privacy Act in view of the pending legal action concerning personality rights.

A natural person’s face, likeness, image and audio and video recordings of him or her are personal data and their collection, recording, storage and use (in- cluding publication) constitute processing. As the complainant is clearly identifi- able in the video footage in question, the editorial board is processing data. The Authority recommended that, in respect of the processing complained of, the complainant should contact the controller (the publisher) in a justifiable manner under Article 21 (right to object) of the General Data Protection Regulation and request that his/her image be made unrecognisable, stating his/her reasons. If the controller does not comply with or refuses the data subject’s request, he or she may lodge another complaint with the Authority. [NAIH-6297/2023]

14.10 Those subject to publication obligation in the Central Information Register of Public Data

It was raised as a consultation question whether the obligation to provide data on the website of the Central Information Register of Public Data applies to com- panies held by municipalities – as business entities which perform public duties that are not listed in the general register of the Hungarian State Treasury but in the trade register.

The Authority pointed out in connection with the case that the publication ob- ligation applies to all budgetary bodies except the national security services. Consequently, it does not apply to non-budgetary bodies, i.e. only budgetary bodies are subject to the obligation to publish specific financial management data on a bi-monthly basis on the newly created Central Information Register of Public Data (hereinafter “the Platform”). The method and content of the publication are set out in Section 37/C of the Privacy Act and in Government Decree 499/2022 (XII. 8.) on the detailed rules of the Central Information Register of Public Data. The publication obligation applies to data generated on or after 29 November 2022. The Authority also pointed out that a company listed in the trade register may perform public duties, but it is not a budgetary organ under Act CXCV of 2011 on Public Finances (Act on Public Finances), and therefore, based on the provisions of the Central Information Register of Public Data established under Chapter 24/B of the Privacy Act, it is not a body required to publish data on the Platform. In view of this, it is not required to publish data of public interest relating to its financial management in this area. However, it is important that the obliga- tion to publish on its own website or on the website of its supervisory body or on the central website (kozadat.hu) [Section 33(3) of the Privacy Act], as well as the obligation to publish under Act CXXII of 2009 on the more economical operation of publicly owned companies, continues to apply to companies performing public duties, as was the case previously. [NAIH-1221-2/2023]

14.11 Retention period of a disclosure unit on financial management

A university requested the Authority’s views in its submission for consultation on which legislation defines the retention period for disclosure items 2 and 6 of dis- closure unit III. Financial management data of the General Disclosure Schedule. According to the Authority’s position, neither Annex 1 of the Privacy Act, nor Decree 18/2005 (XII. 27.) IHM contain any provision on the retention period of the data disclosed in the disclosure units indicated in the submission. With re- gard to the retention of disclosed data of public interest and data accessible on public interest grounds, the Authority is of the consistent opinion that the trans- parency of the operation of an organ performing public duties is facilitated if not only current data of public interest and data accessible on public interest grounds are disclosed, but data previously disclosed remain accessible in the disclo- sure scheme by keeping the data in the archive. The Authority drew attention to the fact that requests for data of public interest may be submitted for archived data even after one year from the date of disclosure, which the data controller is obliged to comply with according to the provisions of the Privacy Act. In the case where the data to be accessed are available in the archive of the general disclo- sure scheme, the data request may also be lawfully fulfilled by sending a link to the data in the archive. [NAIH-1588/2023.]

15. Authority procedures for the supervision of classification in the field of the freedom of inform...

15.1 Authority procedure for the supervision of classification in connection with the classification of the investigation report based on OBHE Decision 6.Sz/2022 (I.28.) on the targeted investigation of the Metropolitan Court of Budapest

Transparency International Hungary Foundation brought an action before the Metropolitan Court of Budapest against the National Office for the Judiciary (hereinafter: OBH) for the disclosure of the investigation report based on OBHE Decision 6.Sz/2022 (28.I) on the targeted investigation to be conducted at the Metropolitan Court of Budapest, as well as any other documents or data contain- ing the findings of the persons appointed to conduct the targeted investigation, their conclusions or positions in connection with the targeted investigation.

The OBH, as the respondent in the litigation, stated that the ‘any other docu- ments or data containing the findings of the persons appointed to carry out the targeted investigation, their conclusions or positions in connection with the tar- geted investigation’ subject to the request for data and referred to in the petition do not exist, because they are contained in the investigation report based on OBHE Decision 6.Sz/2022 (28.I) of 28.I. on the targeted investigation to be car- ried out at the Metropolitan Court of Budapest, referred to in point 1 of the petition.

The president of the OBH classified the referenced investigation report as “Restricted” national classified information with a validity period of 10 years. In view of this, he refused to comply with the data request on the basis of Section 27(1) of the Privacy Act. The Metropolitan Court of Budapest initiated the author- ity procedure for the supervision of classification with regard to the lawfulness of the classification of the data subject to the litigation.

As a result of the authority procedure for the supervision of classification, the Authority established the breach of the following with regard to the classifica- tion of the report generated in the course of the targeted investigation ordered by Decision 6.SZ/2022.(I.28.) OBHE pursuant to Section 63(1)(a) of the Privacy Act;

Section 5(1) of the Classified Data Protection Act10,
Section 5(3) of the Classified Data Protection Act,
Section 6(1), (2), (3) and (4) of the Classified Data Protection Act and
Section 38(3) of Government Decree 90/2010. (III.26.) on the Roles of the National Security Authority and the Handling of Classified Information, therefore it called upon the classifier to terminate the classification in ac- cordance with Section 63(1)(a)(aa) of the Privacy Act.

Pursuant to Section 63(2) of the Privacy Act, the Authority applied a repeated classification marking with regard to the content of the justification of the deci- sion in view of the possibility of legal remedy against the decision adopted in the authority procedure for the supervision of classification and its suspensive ef- fect. As the decision was challenged by the classifier in an administrative appeal, which is still pending, the classification still stands. [NAIH-503/2023]

15.2 “Pseudo” authority procedures for the supervision of classification

According to the essence of Section 31(6a) of the Privacy Act, if the controller re- fuses to grant a request for access to data of public interest because the data of public interest or data accessible on public interest grounds cannot be disclosed because it is classified data under the Classified Data Protection Act, and the data subject goes to the court for review of the refusal to disclose the data of pub- lic interest, the court shall initiate an authority procedure for the supervision of classification by the Authority. Pursuant to Section 62(1a) of the Privacy Act, if the court initiates an authority procedure for the supervision of classification as de- fined in Section 31(6a), the Authority shall initiate the authority procedure for the supervision of classification. Therefore, the Authority has no discretionary power to initiate proceedings under the provision of Section 62(1a) of the Privacy Act, and if the court initiates the launch of the authority procedure for the supervision of classification on the basis of this provision, the Authority is obliged to initiate the procedure. It follows from Section 62(1) of the Privacy Act that the Authority may, in the course of its authority procedure for the supervision of classification, examine the lawfulness of the classification or the repetition of the classification marking of national classified information, i.e. in order for the procedure to be conducted, there must be classified information which has been created prior to the procedure and which can therefore be examined as to the lawfulness of the classification. If classified information exists, there must also be a classifier (or a person repeating the classification marking), since classified information can be lawfully created as a result of the classification procedure. Only the classifier (or the person repeating the classification marking) can be a client of the authority procedure for the supervision of classification before the Authority.

It is important to emphasise the above because the Authority has recently re- ceived several submissions in which the court initiated the launch of authority procedure for the supervision of classification with reference to Section 62(1a) of the Privacy Act, but based on the examination of the transcripts sent by the courts and the attached documents, it was likely that no classified data had been generated in the main case before the procedure was initiated. In these cases, although the Authority found that the conditions for starting the authority proce- dure for the supervision of classification – such as the existence of classified information and the existence of a classifier – were not met, it had to start the authority procedure for the supervision of classification as it had no discretion.

In the course of the fact-finding it was established that, in the cases referred to, there was no classified data among the data that were the subject of the litiga- tion, therefore the continuation of the authority procedure for the supervision of classification became pointless due to the lack of classified data, therefore the Authority decided to terminate these authority procedures for the supervision of classification pursuant to Section 47(1)c) of the Act on General Administrative Procedures.

In these cases, the Authority was therefore obliged to initiate authority proce- dures for the supervision of classification in the absence of classified informa- tion, i.e., it had to initiate and conduct the procedure despite the fact that there was no national classified information to be examined. In the absence of clas- sified information, it would also be meaningless to identify the classifier (or the person repeating the classification marking), who is the client of the authority procedure for the supervision of classification.

The number of such “pseudo” procedures for the supervision of classification would presumably be reduced by interpreting the provisions of Section 62(1) and (1a) of the Privacy Act in the same way as intended by the legislator. In applying these rules, the starting point is that the data which are the subject of litigation before the courts under Section 31(6a) of the Privacy Act include classified data and that it is likely that the classification of these national classified data or the repetition of their classification marking is unlawful. According to the Authority’s position it is only under these conditions that the initiation of a procedure for the supervision of classification by the courts on the basis of Section 62(1a) of the Privacy Act can be interpreted. The purpose of the authority procedure for the supervision of classification initiated under Section 62(1a) of the Privacy Act is not to establish whether the data which are the subject of the litigation contain classified information at all, but to establish whether or not the classification of the national classified information designated by the court or the repetition of the classification marking is unlawful. The Authority considers it important to call at- tention to the fact that in cases where a court has initiated the launch of author- ity procedures for the supervision of classification, it is for the court to determine as precisely as possible the scope of the classified information to be examined in the context of the authority procedure for the supervision of classification. [NAIH-7114/2023]

2022

1. Introduction

In addition to dealing with inquiry and consultation cases related to the freedom of information, NAIH Department for Freedom of information also investigates so-called border area cases, i.e. those concerning data protection, freedom of information and other rights to information and communication whether under inquiry procedures or authority procedures for data protection (in 2022, there were 71 cases of the latter type of procedure), response to requests for data of public interest received by the Authority, and keeps the registry of reports on rejected requests for data. The Regulatory and Data Classification Supervisory Department carries out authority procedures for the supervision of data classification. The KÖFÖP (Public Service Development Operative Programme) freedom of information research project was closed on 31 December 2022.

2. Substantial changes in legal regulations affecting freedom of information from 2022

In each case, the origin of the amendments effected in October 2022 was the European Commission; they were formulated as claims in the so-called conditionality mechanism linked to the supervision of the use of EU budgetary funds.

First, major changes were made to the rules of fees for meeting requests for data of public interest with a view to easing access to data of public interest; the amendments to the Privacy Act and the Cost Decree entered into force on 13 October 2022^{^[1]}. The possibility of requesting fees because of the disproportionate use of labour resources regulated in Section 29 of the Privacy Act was deleted and with regard to the remaining cost elements (the cost of the data storage medium/making copies and the costs of delivery), the implementing decree established limits. Hereinafter, the costs of labour resources shall be borne in full by the organs performing public duties processing the data (data owners). In the case of costs not exceeding the minimum amount (HUF 10,000) set forth in Section 6 of the Cost Decree, no fee can be applied to cover the costs, while in the case of costs above this, the maximum amount that may be charged is HUF 190,000. There is no change in that only actually incurred - i.e. verifiable - costs may be covered by the fee and it should be underlined that charging a fee will not be mandatory in the future, it may only be done if the organ performing public duties processing the data decides responsibly to apply the rules concerning the establishment of the fee to cover the costs. In such a case, the request for data shall be fulfilled within 15 days from the payment of the fee by the requesting party.

On 8 November 2022, Parliament decided on another Privacy Act amendment which – incorporated in the law as lex specialis – determines the rules of litigation that may be launched in relation to a request to access data of public interest different from those of civil procedure (basically, similarly to press litigation, the amendment speeds up the process of the procedure and generally requires expedited hearing).

As a result of the amendment adopted on 22 November 2022, a Central Information Public Data Registry was set up, which enables access to the most important financial management data of budgetary organs in an integrated central database, in particular, the data of budgetary support amounting to at least five million forints granted by them from domestic or European Union funds, public procurements, contracts and payments which are updated every two months and will be accessible for 10 years. The Registry enables the classification and comparison of the data. Obligees are to disclose the data generated on or after 29 November 2022 for the first time by 28 February 2023 at the latest. The mode and accurate content of the disclosure are set forth in Section 37/C of the Privacy Act and Government Decree 499/2022 (XII. 8) on the detailed rules of the Central Information Public Data Registry. The reports are to be filed using a downloadable datasheet in accordance with the Guidance in the User Rules². As the operator of the new registry, the Nemzeti Adatvagyon Ügynökség Kft. publishes the data on the workday following the receipt of the datasheet. If a budgetary organ fails to meet its obligation to disclose the data on this platform, or discloses inaccurate or deficient data based on request the Authority launches an authority procedure for transparency or may launch an authority procedure for transparency ex officio. The period open for conducting a new authority procedure is 45 days. In the event of an infringement, the Authority orders expedited meeting of the disclosure obligation, which shall not be later than within 15 days. If the budgetary organ still fails to comply within 15 days, the Authority may impose a fine whose amount may extend from a hundred thousand forints to fifty million forints. Requests for launching a transparency procedure may be submitted to the Authority from 28 February 2023.

Finally, it should be noted in relation to the period open for providing data in 45+45 days applicable in emergency situations in force for a, extended period of time that although the effect of Government Decree 521/2020. (XI. 25.) was extended in the context of the emergency of the war in Ukraine until 31 December 2022, thereafter a response period of 15+15 days specified in the Privacy Act was re-established, i.e. organs performing public duties have to respond according to the original procedure in 2023.

[1] Act XXVIII of 2022 on amending certain acts related to the control of the use of European Union budgetary funds and Government Decree 382/2022 (X. 10) on the amendment of Government Decree 301/2016. (IX. 30.) on the extent of fees that may be set for fulfilling request for data of public interest (Cost Decree) ² https://kif.gov.hu/#/regulation

3. Important decisions of the Constitutional Court in 2022

Constitutional Court Decision 3438/2022. (X. 28.) AB concerning the rejection of the constitutional complaint against Curia Order Bfv.II.750/2021/6

According to the position of the mayor submitting the petition, the court decisions condemning him for defamation because of the disclosure of data of public interest related to the financial management of the municipality (in the context of a query by the National Tax and Customs Administration, he stated that the deputy mayor concluded a contract on behalf of the municipality without being authorized to do so), infringe his constitutional right to disclose data of public interest and his fundamental rights to the freedom of expression and fair court procedure. According to the facts of the case established by the courts, the petitioner made a statement of fact in the case under investigation, but he was unable to prove its truthfulness. Establishment of the truthfulness of a statement is the responsibility of courts with general jurisdiction and the Constitutional Court may not review its result. Even public figures may successfully invoke the protection of their personality rights against false statements or those made in front of the public that are not demonstrated to be truthful. In the course of their proportionality test, the courts took into account that the petitioner went substantially beyond responding to the request, accused the injured party of having committed a crime and the disclosure was objectively suitable for defaming the injured party.

Constitutional Court Decision 3258/2022. (VI. 3.) AB concerning the rejection of a constitutional complaint

The petitioner requested that the respondent business organisation be obligated to disclose data of public interest with regard to altogether ten investment projects financed from European Union funds or public money as the winner of public procurement tenders concerned in the data request or as a member of the winning consortia. He requested the disclosure of the exact types and total quantities of all the building materials and all the material assets used, their sources of procurement and prices, as well as documents verifying payment , procured and/or incorporated by the respondent. In its judgment 26.P.20.281/2020/9, the court of first instance rejected the petition in a repeated procedure because having jointly interpreted Article 39(2) and (3) of the Fundamental Law and Section 3(5)-(6) and Section 27(3) and (3a) of the Privacy Act, it concluded that the respondent was not managing public moneys, hence it was not subject to the obligation to publicly disclose its financial management. The court underlined that the amounts the respondent obtained through public procurement tenders financed by European Union funds could not be regarded as revenues, expenditures or claims of the state, hence they do not qualify as public moneys. The court of second instance taking action based on the petitioner’s appeal altered the judgment of the court of first instance with its judgment Pf.III.20.050/2021/3 and ordered the respondent to issue the requested data; however, the Curia’s judgment Pfv.IV.20.904/2021/5 annulled this and approved the judgment of the court of first instance. Instead of deciding on the acceptance of the complaint, the Constitutional Court adopted a draft decision containing the adjudgment of the complaint in merit and rejected the petition. According to the decision, the notion of public fund in the Fundamental Law overrides every other interpretation in earlier decisions of the Constitutional Court, and according to Article 39(3) of the Fundamental Law, it is not the source of the assets provided, i.e. its origin, that is the decisive factor in the notion of “public funds”; in addition, there is no rule, which would declare certain data in the contracts of business organizations concluded with one another as data of public interest or data accessible on public interest grounds.

Constitutional Court Decision 3177/2022. (IV. 22.) AB concerning the annulment of court decisions (judgment 8.Pf.20.188/2021/9 of the Fővárosi Ítélőtábla [Budapest Court of Appeal] and judgment 62.P.20.901/2020/11 of the Fővárosi Törvényszék [Budapest Municipal Court])

The petitioner NGO requested the Ministry of Human Resources in 2019 to send the findings of the investigation carried out by or on behalf of the ministry on the SROP - Bridge to the World of Work project. The Criminal General Directorate of the National Tax and Customs Administration is conducting an investigation against an unknown perpetrator in relation to the projects concerned in the litigation because of the well-grounded suspicion of having committed budgetary fraud. According to the court, the controller lawfully refused the fulfilment of the data request with reference to Section 27(2)(c) of the Privacy Act and Section 109(1)(e) of Act XC of 2017 on Criminal Procedures (hereinafter: Criminal Procedures Act). As pointed out by Constitutional Court Decision 4/2021. (I. 22.) AB, the framework for restricting freedom of information is set forth by the Privacy Act – also in view of Article I(3) of the Fundamental Law – which recognises three categories: a) classified data; b) data in support of a decisionmaking process [Privacy Act Section 27(5)]; and c) restriction by a separate act [Privacy Act Section 27(2)]. The Constitutional Court underlined that Hungarian constitutional dogmatics are driven by data and the application of the law, the restriction of data does not set in ex lege in any case, in actual fact “the decision to restrict freedom of information is carried out by the controller even with the most extreme reasons”. This means that freedom of information is never automatically restricted by force of law, it always requires a decision by the controller. “This clause may be regarded as the essence and the primary safeguard of the freedom of information, which extends to all three types of restriction (classified data, data supporting decision-making and restriction by separate act). It is therefore constitutionally impossible to directly block data by law.” {Constitutional Court Decision 4/2021. (I. 22.) AB, Justification [46]–[48]} [26].

In the case at hand, the court established that of the types of restriction of the freedom of information presented in Decision 4/2021. (I. 22.) AB, the third one applies. In such cases, the court weighs the matter in two phases: a) first, the court has to identify the legal regulations applicable to the case that restrict the right to access data of public interest and data accessible on public interest grounds, which enables the blockage of the data from the public (legal grounds), and b) on that basis it has to weigh the lawfulness of the controller’s decision and the reasons for the restriction (necessity and proportionality). The challenged decision of the court formally meets this requirement, but in terms of content, it is not in line with constitutional requirements, if the court makes its decision concerning the restriction of the freedom of information without specifically examining the actual content of the documents requested. In its earlier decisions, the Constitutional Court acknowledged the prosecution and prevention of crimes as constitutional values which may in the given case warrant the restriction of fundamental rights {Constitutional Court Decision 3255/2012. (IX. 28.) AB, Justification [14]; Constitutional Court Decision 3269/2012. (X. 4.) AB, Justification [20]; Constitutional Court Decision 3038/2014. (III.13.) AB, Justification [32]}. [36] The justification of the challenged judgment, however, shows that the court referred only to the statement of the National Tax and Customs Administration in this regard and based its decision exclusively on it. It could not be established that the court itself examined the content of the requested documents and established as a result that they were subject to the restriction of access. Assuming that the refusal to issue the data rests on the appropriate legal basis, the statement of the investigative organ on the existence of interest in the prosecution of crime may be an important – even decisive – factor in demonstrating proof. However, knowledge of the content of the requested document and its actual examination by the court – similarly to the case of data supporting decision-making – cannot be dispensed with. Without this, the substantive review of the justification and reasonableness of the grounds for refusal put forward by the controller for restricting freedom of information – and so, the exclusion of an arbitrary decision by the controller – is not possible for the court as part of the protection of the freedom of information as a fundamental right, because it allows for its not strictly necessary – i.e. formal – restriction. In the absence of the consistent enforcement of the data principle, there is a risk that a general reference to the interest of criminal procedures would enable the denial of access to data that are otherwise undisputedly of public interest for an unlimited period of time.

Constitutional Court Decision 3179/2022. (IV. 22.) AB concerning the rejection of a constitutional complaint (related: Constitutional Court Decision 3401/2022. (X. 12.) AB)

The petitioner NGO made a request for data of public interest to a ministry in which it requested copies of reports on the Öveges-program project and the Bridge to the World of Work project investigated by the European Antifraud Office (OLAF) submitted to the Government and all other information or data concerning OLAF’s and the Government’s common position on these projects. The controller refused to issue the data stating that according to the Court of Justice of the European Union OLAF’s investigative documents are entitled to a general protection, on the basis of which it was exempted from public access to the documents and only substantial public interests may allow for an exception. The court of first instance rejected the petition and established that an omission on the part of the respondent ministry with regard to the consultation to be conducted with the director general of OLAF may not automatically result in an obligation to issue the data. The reason for this is that in the absence of consultation, the director general of OLAF is entitled to make a decision on the issue of the data. The court of second instance taking action as a result of the petitioner’s appeal upheld the judgment of the court of first instance. In its judgment, it established that in relation to the investigative reports, the ministry only carries out coordinating activities, which is not the same as any of OLAF’s activities, thus the requested data were generated not by the ministry and not in relation to the performance of its public duties, hence the ministry is not under an obligation to make them accessible. In its judgment, the Curia upheld the force of the final judgment and established that “the respondent [...] had a legal position concerning the rejection of the issue of the data worthy of examination”, which the Curia also regarded as being well-founded, when by reference to the indicated European Union regulations through their interpretation, it arrived at the conclusion that “the director general of OLAF is entitled to make the decision on the issue of the data” (Curia judgment Pfv.IV.20.948/2020/6, Justification [20]–[21]). According to the opinion of the Constitutional Court, the question whether the court correctly interpreted the EU legal requirements applied and whether, on that basis, it justifiably identified OLAF in the present case as the organ entitled to make the decision is an issue of the interpretation of specialised EU law, whose review would be outside the Constitutional Court's duty to protect fundamental rights, even if it would otherwise disagree with the legal interpretation of the court.

4. Important court judgments in 2022

Pfv.IV.21.217/2021/5.: The petitioner Member of Parliament requested data of public interest concerning the transfer of an indirect holding in a power plant plc. from the respondent business organisation in public ownership ensuring the energy supply of the country. The court of second instance annulling the judgment of first instance correctly established that Section 7/I(1) of Act CXII of 2009 on the More Economical Operation of Business Organisations in Public Ownership contains requirements concerning non-accessibility without the need for carrying out any other investigation, hence the data of public interest specified in Annex 1 to the Act are not accessible for the period specified in its annex. It established that in the case under litigation, the blockage of the data from access was substantiated by the decision of the Ministry of Defence qualifying the power plant as a national critical system element, and the official statement of the Office for the Protection of the Constitution concerning the fact that national security interest obtained. In view of this, it was mandatory by force of the law for the respondent to refuse to issue the data without any additional consideration, hence the Curia found the petition for the review the final judgment submitted by the petitioner ungrounded.

Pfv.21.493/2021/5.: The petitioner asked for the documents of the impact assessment for Act C of 2020 on the Medical Service Legal Relationship in his request for data of public interest; however, the respondent refused to issue the data with reference to their nature of supporting decision-making. The court of first instance established that when refusing the request, the respondent failed to accurately indicate their future decision, as well as to weigh the public interests according to Privacy Act Section 30(5). The respondent in its counter-petition in the litigation indicated the three implementation decrees to the act, which had already been promulgated as “future decisions”. The court of first instance had to take a position on whether the lawfulness of the issue of data of public interest supporting decision-making can be examined exclusively on the basis of the circumstances existing at the time of refusal under Section 27(6) of the Privacy Act, or if the decision indicated as the basis for refusal was made in the course of the procedure, whether the data could be issued without the submission of a new request for data. In its decision upheld by the court of second instance, the court of first instance ordered the respondent to issue the data. Under the decision, if the reason for refusal no longer obtains in the litigation and it is not disputed, the controller may be ordered to issue the requested data of public interest. The Curia upheld the final judgment.

Pf. 20.043/2022/8.: The petitioner submitted a request for data of public interest to the Ministry in charge of healthcare with regard to the study supporting the decisions concerning the transformation of healthcare made by the limited company and the technical description in the contract on the production of the study. The court of second instance arrived at the conclusion by examining the enclosed study and the documents submitted that the study also supports additional decisions as, according to the documents, the transformation of healthcare consists of three phases, of which the second has not yet been completed, and the third has not even started. The Constitutional Court in its decision 6/2016.(III.11.) AB pointed out that the entire document – in view of the fact that the data principle is enforced and not the document principle – cannot be blocked from access with reference to its decision supporting nature; in this case, however, the court established following the specific examination of the study that in view of the interrelations of the tasks, the entire document supported decision-making.

Pf.20.158/2022/5.: In contrast to the previous decision, in the case of a request for data of public interest concerning policy programmes approved by Government Decision 1722/2018. (XII.18.) – as the “Healthy Hungary 2021-2027 Healthcare Sectoral Strategy” was adopted based on the policy programmes and the respondent failed to prove that the programmes also laid the foundations for additional decisions other than the adopted strategy – the court ordered the respondent to issue the data in view of the fact that the decision was made and no evidence was provided that it laid the foundations for future decisions.

Pf.20.239/2022/6.: The petitioner requested that the respondent is ordered to issue the vaccination plan requested in his request for data of public interest. According to the respondent’s defence, it was aware of the vaccination plan, but it was not its controller and as the petitioner himself disclosed on the Internet that he obtained the vaccination plan, the enforcement of his request does not comply with the social purpose of the Privacy Act. The court of first instance established that the respondent was not a controller with regard to the vaccination plan as the Operational Staff qualified as controller, thus the petitioner requested the issue of the vaccination plan from the inappropriate respondent. In addition, the petitioner was able to have access to the vaccination plan in another litigation in progress during the procedure of first instance, which was not disputed. The court of second instance established that the petitioner was able to have access to the vaccination plan from another controller and also because the respondent provided the link through which it could be accessed in the procedure of first instance. In view of this, the petitioner’s request enforced in the litigation does not serve the transparency of public affairs and it is not reconcilable with the social purpose of a fundamental right. Even if the capacity of the respondent and controller obtained, the respondent could not be ordered to issue the vaccination plan because it had already given the public source containing the data to the petitioner. In view of the provisions of Curia Decision Pfv. IV.20419/2021/6, the petitioner’s exercise of his rights was not regular, hence the court of second instance upheld the judgment of first instance.

Pf.20.117/2022/6.: The petitioner requested the issue of the vaccination plan against COVID-19 from the National

Public Health Centre. The vaccination plan requested by the petitioner is included in the document entitled

“Schedule of tasks related to vaccination against COVID-19” published by the Ministry of the Interior on its website. Following the launching of the litigation, the respondent referred to this and provided the electronic link to the document. The court pointed out that by reference to a public source, an organ performing public duties may fulfil a request for data, even if it was not that organ that had earlier made the information accessible to the public. It is not contrary to the purpose of the Privacy Act, if the controller voluntarily meets its obligation to provide data in the course of litigation; voluntary performance is in place also in the case of litigation, but when fulfilling a request for the issue of data in the course of litigation, the enforcement of the request cannot be regarded as unnecessary, hence the respondent was ordered to reimburse the petitioner’s litigation costs.

Pf.20.213/2022/8.: In his request for data of public interest, the petitioner requested data of public interest from the respondent related to the tender grants provided by the respondent to two limited companies. Within 15 days, the respondent informed the petitioner that based on Section 1(3) of Government Decree 521/2020. (XI. 25.), it will fulfil the request only within 45 days following the receipt of the request, but the petitioner did not wait for the expiry of this period, and submitted his petition. The court of first instance ordered the respondent to issue the data in accordance with the petitioner’s petition and established that the petition was not premature because the respondent referred to its emergency tasks only in general and not in accordance with the requirements of Constitutional Court Decision 15/2021. (V.13.) AB and failed to specify the reasons, which would render it probable that fulfilling the data request would jeopardise the performance of these tasks. The court hearing the respondent’s appeal found that the 45-day response period expired unsuccessfully even before the delivery of the letter of petition to the respondent and, in any case, being premature was not on the exhaustive list according to Section 176(1) of the Civil Procedures Act as a reason for rejecting the petition and subsequently for terminating the procedure. If, in the event of initiating a preventive procedure, in a litigation aimed at accessing data of public interest, the petitioner submits his petition prior to the due date for initiating a lawsuit as set forth in the legal regulation, and the due date expires even before the delivery of petition to the respondent without fulfilment of the data request, the petition shall not be rejected and the litigation shall not be terminated on account of the omission of the mandatory procedure preceding litigation. The judgment of the court of first instance was upheld by the court of second instance.

Pf.20.066/2022/5.: The petitioner requested data concerning an EU tender for agriculture, forestry and food processing. According to the respondent, some of the requested data are not public because according to Section 24(1) of Act XVII of 2007 on Certain Issues of the Procedure Related to Agri and Rural Development and Fishing Grants and Certain Measures (Agri Aid Act), the data generated or recorded in the procedure of the controller are not accessible as a main rule except for the data according to paragraph (2), for which the Agri Aid Act requires a quarterly disclosure obligation in any case (www.palyazat.gov.hu and www.magyarallamkincstar.gov.hu). The court of first instance ordered the respondent to issue all the requested data because the provisions under Section 24(1) and (2) of the Agri Aid Act are not consistent with any of the reasons for refusal under Section 27(2) of the Privacy Act, hence the provisions of the sectoral legal regulation are irrelevant from the viewpoint of the fulfilment of the data request. The respondent appealed and presented that the two directly applicable EU regulations provide as follows: according to Article 111 of Regulation (EU)1306/2013 only the data specified therein need to be disclosed on the beneficiaries of a grant, while according to Recital (32) of Regulation (EU)908/2014 publication should not go beyond what is necessary in order to reach the transparency objectives pursued. According to the respondent’s appeal, the part of the data request on “who evaluated” the tenders and “who carries out control” cannot be the subject matter of request for data of public interest as these are the personal data of civil servants. The Court of Appeal referred to the fact that in its Decision Pfv. IV.21.093/2020/5 the Curia clarified: Section 24(1) and (2) of the Agri Aid Act may not restrict the range of accessible data of public interest and data accessible on of public interest grounds. Hence, the Court of Appeal had to examine whether it would have been right to differ from the decision of the Curia in a legal issue based on the appeal. In relation to the EU regulations referred to, the Court of Appeal pointed out that they regulate the obligation to publish and do not contain any prohibition as to providing access to additional information related to tenders upon special request in addition to the data which are mandatorily published. The names, responsibilities and duties of the persons evaluating and controlling tenders are data accessible on of public interest grounds of civil servants according to Section 26(2) of the Privacy Act. In view of all this, the Court of Appeal upheld the decision of the court of first instance.

Pf.20.023/2022/10.: The court of first instance ordered the respondent to issue the calculations made in accordance with the requirements of Section 133(2) of Act CXLIII of 2015 on Public Procurement in a context of the announcement of the concession tender for motorway operating services and the related data substantiating compliance with the relevant legal requirements (all other data substantiating the 35-year period of the contract according to the invitation to tender) to the petitioner. The court pointed out that it does not follow from the fact that the Public Procurement Act does not require the accessibility of the data that they could not be accessible as data of public interest. Concerning the nature of the data supporting decision-making both paragraphs (5) and (6) of Section 27 of the Privacy Act are applicable in the legal dispute, because the announcement was published based on the calculation preceding the announcement, i.e. a decision has already been made, but the calculation and the related data substantiating compliance with the relevant legal requirements also support future decisions as the concession tendering procedure continues even after sending the invitation to tender, and the preliminary calculation is finalised when the contract is concluded. When applying Section 27(5) of the Privacy Act, the controller should have carried out the public interest balancing test according to Section 30(5) of the Privacy Act. In this context, for the court’s discretion it is necessary for the controller to enclose the data concerned by the data request as a sealed document in the lawsuit, with regard to which it is warranted to restrict access according to its own consideration; if respondent fails to do so, it is also unable to comply with its interest in providing evidence. Because of this, the court upheld the decision of first instance.

Pf.20.363/2022/7.: The petitioner submitted a request for data of public interest to the respondent with regard to copies of additional contracts, orders, performance certificates and invoices based on the two framework contracts for the fireworks and festivities of 20 August 2021. According to the decision of the court, the data request does not qualify as comprehensive, invoice level data request as it applied only to two framework contracts.

Pfv.20.040/2022/5.: The petitioner’s data request was primarily aimed at having access to the loan contract between the Government of Hungary and the Export-Import Bank of China and secondarily, in the event of a dismissal of the data request, to the specific information the minister has considered and the foreign policy and foreign economic interests that would be jeopardised by the disclosure of the loan contract. The court pointed out that under Section 27(2)(f) of the Privacy Act, an act may restrict access to data of public interest in view of external relations. Section 2(3) of Act XXIX of 2020 promulgating the Convention on the investment for the reconstruction of the Budapest-Belgrade railway (hereinafter: BB Railway Act) specifies that the issue of data shall be refused for 10 years from the generation of the data, if access to the data would jeopardise Hungary’s foreign policy and foreign economic interests free from undue external influence, and according to Section 2(4), the minister in charge of foreign economic affairs shall decide on whether or not a request to access the data can be fulfilled and on the disclosure of the data, having weighed Hungary’s foreign policy and foreign economic interests and also obtaining the position of the Government of the People’s Republic of China. In view of Article 3(8) of Act XXIV of 2016 promulgating the Convention, the minister is bound by the statement of the Chinese party: “[...] Information provided by the parties to one another of this Convention or generated as a result of the Convention implementation shall not be disclosed and shall not be transferred to any third party without the prior written consent of the two parties.” According to the court’s decision, the minister has no obligation to justify his considerations as the BB Railway Act does not specify the criteria of consideration as it is within the discretionary powers of the minister; the court may not review the minister’s consideration as that has no legal basis. The court annulled the final judgment ordering the respondent to fulfil the request for data of public interest and upheld the judgment of first instance rejecting the petitioner’s petition.

Pfv.20.258/2022/11.: The petitioner requested data of public interest from the respondent prize-awarding body; however, according to the respondent’s position it was not an independent subject of law: it does not manage funds, it has no independent account, it does not spend public funds, it does not perform public tasks, it merely awards the prize and organises the award ceremony, i.e. it is but a group of persons consisting of the managers of the founders, it is not an NGO or any other organisation, it is merely a framework for cooperation among the organs enacting the deed of foundation and its legal relationship according to civil law. The court of first instance terminated the litigation by order in view of the fact that prior to the litigation, the petitioner submitted his request for data of public interest to a non-existent entity in the absence of an operating organisation, the respondent does not process data of public interest, the data and documents are processed by the founders and the secretary of the body. The Curia adjudged the petitioner’s request for review as unfounded. In a litigation for the issue of the data of public interest when assessing whether the subject indicated as respondent has legal capacity in the litigation based on Section 31(4) of the Privacy Act, it is necessary to take into account the actual activities of the subject indicated, whether it is capable of processing data of public interest, or data accessible on public interest grounds, whether it had the organisation needed for this. In the absence of such capability and organisation, the petition for the issue of data of public interest shall be rejected and in the absence of this, the procedure shall be terminated.

2.Pf.20.567/2022/3.: The defence put forward by the respondent in the litigation was that it was not a controller based on Section 3(9) of the Privacy Act. The court pointed out that based on Sections [31]-[33] of Constitutional Court Decision 6/2016 (III. 11.) AB what needs to be examined in litigations of this kind is not whether the respondent is defined for the processing of personal data by the legislator, whether it is a controller according to the definition specifying the purpose of processing the data, but whether the condition set forth in Section 26(1) of the Privacy Act is met with regard to it, i.e. whether the data desired to be accessed are actually processed by it.

Pf.20.893/2021/5.: The respondent is a business organisation fully owned by the Hungarian State, carrying out public task specified in a legal regulation concerning tourism. The respondent’s data request was for the respondent to disclose by name, who decide on individual support and who are on the professional panel referred to by the respondent in an interview. The court of first instance found that what has significance is not that the professional panel does not act as a body according to the defence put forward by the respondent, but who the persons are that are involved in the evaluation of requests for support. Pursuant to Section 2(1)(c) of Act CLXXXI of 2007 on the Transparency of State Aid from Public Funds (State Aid Transparency Act), these persons qualify as decisionmakers and pursuant to Section 26(2) of the Privacy Act, they are persons acting within the functions and powers of the organ performing public duties. The court of first instance ordered the respondent to issue the names of the decision-makers as data accessible on public interest grounds and the decision was upheld by the court of second instance.

Pfv.21.441/2021/5.: The respondent is a business organisation held exclusively by the state, which was designated by the Government to supply textbooks, produce textbooks for schools and carry out the tasks related to ordering textbooks. The petitioner requested access to the contract and its annexes with which the respondent purchased 97.71% of the shares in the LLC from a natural person. According to the defence put forward by the respondent, the amount that it spent on purchasing the shares in the LLC does not qualify as public funds because the procurement was financed in 2020 by receipts that it had obtained prior to 2020. With reference to the case law of the Constitutional Court, the court of first instance established that the management of funds used in the course of performing public duties does not lose its public fund nature only because it is carried out by a non-profit business organisation; the respondent performs public duties, its assets are the assets of the state, i.e. national assets. The court of first instance ordered the respondent to fulfil the data request and the judgment was upheld by the court of second instance. In the review procedure, the Curia upheld the force of the final judgment.

5. On the fee covering costs that may be imposed in relation to the fulfilment of data request

As explained above, the rules concerning the fee to cover costs that may be imposed in relation to the fulfilment of data requests have changed significantly in a favourable direction for the enforcement of the freedom of information from October 2022, but over the past years, this was a topic that generated a great deal of legal disputes, particularly because of the fees imposed with reference to labour resources. In 2022, NAIH reviewed altogether 35 fees for costs, of which 11 enquiries were launched in 2021: controllers were municipalities, government offices, business organisations in public ownership and foundations, and in the majority of cases the infringement could be remedied by having the data issued free of charge or with a substantially reduced fee. In 2022, the highest fee covering costs into which an inquiry was made was HUF 558,093; the petitioner requested the contracts and permit applications by an organ performing public duties for a period over two years. (NAIH-2812/2022)

In another case, the petitioner requested copies of the statement of assets of the mayor, deputy mayors and representatives of the municipality, in addition to copies of the invoices of cash desk payments, cash desk logs and bank account statements of the mayor’s office for 2019-2021. The Authority regarded the moderate amount of the fee (HUF 81,987) imposed by the municipality as acceptable with regard to the invoices, in view of the small staff working for the municipality and the large quantity of the requested data - the documents requested made up altogether 909 pages. At the same time, the Authority called upon the municipality to fulfil the request for the statements of assets without imposing a fee to cover the costs. (NAIH-2894/2022)

HUF 79,200 were incurred as cost in a case where the petitioner wished to know the total number of nights spent by children and their escorts in two Erzsébet camps in the preceding year, what was the per capita cost of accommodation and the daily board and what was exactly included in the board. In the course of its inquiry, the Authority established an infringement as the petitioner was notified of the amount of the cost to be charged after the expiration of the relevant period, and it was not informed in sufficient detail of the reasons on the basis of which the labour resources needed qualified as disproportionate in the operation of the Foundation, and the Foundation in its answer failed to call attention to the possibilities of legal remedy. In view of the above, the Authority called upon the Foundation to send the requested data free of charge. (NAIH-2718/2022, NAIH-1857/2022)

5. On the fee covering costs that may be imposed in relation to the fulfilment of data request (2)

6. NAIH recommendation concerning the obligation to provide information for the entity actually proc...

With reference to the Tromsø Convention and specific investigative experiences, NAIH issued a general recommendation in 2022 stating that the requested entity should – simultaneously with the rejection of the data request and the information on legal remedy to which the data subject is entitled pursuant to the Privacy Act – provide additional information on the identity of the actual controller provided that it has the relevant information (particularly if the actual controller is now or has earlier been subordinated to it, or based on relevant legislation, the identity of the controller can clearly be identified by the entity). The full text of the recommendation is accessible here: https://naih.hu/informacioszabadsag -ajanlasok .

7. Personal data accessible on public interest grounds

Ever since the establishment of the Authority, or perhaps since the introduction of the legal institution in 2005, it has been an evergreen issue to which personal data are guaranteed access by the Privacy Act or the provisions of other laws on grounds of public interest and which are not accessible to petitioners. A common feature of data accessible on public interest grounds is that an Act of Parliament provides for their accessibility. The assessment of accessibility is, however, not always self-evident because beyond the fact that Section 26(2) of the Privacy Act – as a main rule – places other personal data related to the discharge of public duties into the accessible sphere, Annex 1 to the Privacy Act (in the General Publication Scheme) and the special publication provisions of other acts require also additional types of data to be published, which otherwise qualify as personal data. It is also important to note that the so-called legal status acts applicable to persons discharging public duties may not restrict the provisions of the Privacy Act ensuring general assess, except if this is allowed by the Privacy Act, for instance in the case of Section 26(3). The evaluation of the accessibility of personal data on public interest grounds is basically possible through a three-step process of analysis:

1.Whether the data subject (or a specific range of persons), is a person acting within the functions and powers of the organ performing public duties, i.e. does the entity “employing” the data subject perform public duties.

If the answer is yes, then a well-grounded decision has to be made on whether the activity, actions, work of the data subject concerned in the request for data fall within the responsibilities of the organ (discharging public duties), whether he or she participates in that in merit.
The third step is to assess on a case-by-case basis, whether there is a link between the type(s) of data requested (data sets) and the performance of the tasks concerned, such that the specific data to be accessed are in the public interest and therefore can be disclosed.

Otherwise, the refusal to disclose the data has to be justified, i.e. the petitioner has to be informed why the data is not accessible on public interest grounds, or why it is not related to the discharge of public duties by a person performing public duties, or why the data clearly belong to the protected private sphere of the data subject. In addition, the established case law of the courts and NAIH has also to be taken into account. The provisions concerning access to data of public interest have to be applied to accessing data accessible on public interest grounds; in the absence of a provision for publication, these data can be accessed through data requests. In addition, it is an important requirement to which the attention of controllers must be called in every case that personal data accessible on public interest grounds may be promulgated respecting the principle of purpose limitation. The provisions of Annex 1 of the Privacy Act and separate acts concerning the legal status of persons discharging public duties govern the publication of personal data accessible on public interest grounds on websites. According to the justification of the amendment of 2013: “Although the rules on accessing data of public interest are to be applied to access such data, the nature of these data as personal data remains in spite of their accessibility, as the most important safeguard of data protection, the data requirement of the principle of purpose limitation must still be upheld and enforced in full in the course of the subsequent use of the personal data already published. At the same time, purpose limitation cannot be an impediment to the freedom of the press. The act intended to constrain the use of publication obviously contrary to the original intent of the legislator, such as the publication of databases containing personal data within the framework of the law.”

To the extent that the processing and accessibility of data accessible on public interest grounds is needed for the transparency of public affairs and for the democratic discussion of public matters, processing (necessary and sufficient) in line with this also qualify as lawful under the GDPR [Recital (153), Article 17(3)(a), Article 85 and Article 86] provided that it is done with the appropriate legal basis and purpose. Establishing to what extent the data processed relate to the performance of public duties or to what extent they are part of privacy to be protected requires separate consideration in each case. In the justification of its Decision 443/D/2006. AB, the Constitutional Court expounded that “it is not in itself sufficient for a restriction of a fundamental right to be the constitutional (...)that it is done to protect another fundamental right or freedom, or with a view to some other constitutional purpose, it is also necessary that it complies with the requirements of proportionality: the importance of the purpose to be achieved and the seriousness of the infringement of the fundamental right caused for that purpose must be in proportion to one another.”

A citizen complained that a county self-government, disclosing contracts for grant over the Internet, published his personal data when it published the contracts for development projects implemented with European Union funding in accordance with Privacy Act, Annex 1, General Publication Scheme, III. Financial Management Data, point 7,. As the head of a non-profit business organisation fully held by the state performing public duties, the complainant performed public tasks at the time of signing the contract, hence his name, position, signature and initials qualify as personal data accessible on public interest grounds. The publication of the contract on the Internet containing personal data accessible on public interest grounds took place in accordance with the requirements of the Privacy Act, consequently rendering these data unrecognisable cannot be requested lawfully. (NAIH-3115/2022)

Another private individual contacted NAIH asking whether he may request data concerning the secondary school certificate of the settlement’s mayor of his former school. Legal regulations do not prescribe any specific school qualification as a condition of filling the post of mayor, hence the secondary school certificate of the mayor does not qualify as data accessible on public interest grounds, hence according to the rules of the Privacy Act, a controller must reject such request for data. In the case when a mayor voluntarily published the data related to his school qualifications, or it was done based on his recorded consent, is separate from the above case; according to the Authority’s position these data are accessible in such a case. (NAIH-3340/2022)

The Hungarian Medical Chamber (MOK) requested the Authority’s position on MOK’s recommendation for the transparency of medical ethics procedures, the constraints of implementation in the current legal environment and the law amendments needed for implementation^{^[1]}. GDPR Article 86 provides that: “Personal data in official documents held by a public authority or a public body or a private body for the performance of a task carried out in the public interest may be disclosed by the authority or body in accordance with Union or Member State law to which the public authority or body is subject in order to reconcile public access to official documents with the right to the protection of personal data pursuant to this Regulation.”

In its earlier statement,^{^[2]} the Authority expounded that it follows from the joint interpretation of Section 26(2) of the Privacy Act and Section 112 of Act CLIV of 1997 on Healthcare (Healthcare Act) that if an ethics procedure initiated in the context of a physician performing his public duties (for instance, fraud in the context of medical activity) was closed, then the right to informational self-determination of the person performing public duties may be restricted. With a view to the fulfilment of a request for data of public interest, it is necessary to distinguish whether the ethics procedure conducted by MOK concerns and if so, to what extent, the performance of public duties by the physician. When a decision bought as a result of the ethics procedure is made accessible to fulfil a data request, the disclosure has to be restricted to the content relevant to the performance of public duties by the physician. According to the regulations in force, the fact of a final penalty imposed under an ethics procedure, the date when the decision

imposing the penalty becomes final and an indication of the date of its statutory limitation as other personal data related to the performance of the public duties of physicians qualify as data accessible on public interest grounds. The legal situation would be clearer, if the Act (such as an amendment to Section 112 of the Healthcare Act) were to determine which data of the ethics procedure can be accessible through data request. For the time being, the publication of these data on websites is not required by any legal regulation, i.e. they do not qualify as personal data accessible on public interest grounds. (NAIH-1715/2022)

Also in the field of health care, a pharmacist complained about the obligation imposed by the authorities on pharmacy employees to wear a badge with their full name and position. In its decision, the Authority concluded that the data in question are the data accessible on public interest grounds under both the sectoral law and the Privacy Act, thus wearing a name badge in the pharmacy as processing is lawful, it does not infringe the data subject’s right to informational self-determination, but it is a restriction proportionate to the purpose of data processing. In a remedial procedure, the court also upheld NAIH’s decision. (NAIH 962/2022).

A legal adviser asked for information on the interpretation of the aggregated data on personal allowances paid to persons employed by public bodies (Privacy Act, Part III (Management Data), Annex 1, disclosure unit in point 2). According to judicial practice, if by virtue of the nature of the work, the activity can be carried out not only on the basis of an employment relationship but also under some other legal relationship aimed at the performance of work, in view of the principle of the freedom to contract, the parties can freely decide on the type of contract (civil law contract or employment contract) for the work to be carried out. Because of this, the range of persons employed and the full publication of the data related to the use of public funds in relation to them should be interpreted broadly with a view to proactive freedom of information. In view of the above, all the circumstances of the case should be considered to establish whether the public funds paid in lieu of the legal relationship and the performance of tasks by a given person were used for the purposes of his/her employment. Under the law, in the case of employees, the number of persons (headcount) receiving payment from the given organ has to be disclosed quarterly (every three months) together with the total amount in forint terms. In the case of managers, it is also quarterly (every three months) that the number of persons in managerial positions or senior officials is to be stated at the given organ, and what is the amount paid to them in total (as wages or dues). Furthermore, if they received regular benefits, then what the total amount paid by the organ for these benefits was, and over and above these, what cost reimbursement they received and what the total amount paid for this during the given period was. Point 3 of the publication unit covers every employee not in a managerial position. It is also quarterly that their benefits received from the given organ (personal and other benefits) and their total amount during that period is to be stated. The text of the statement is available in full in the website^{^[3]} (NAIH-933/2022)

The request for data concerning the disclosure of wage data of employees making use of the work time allowance due on trade union work at a public transportation company was lawfully rejected. Employees carrying out trade union work at the company are not in the category of persons performing public duties, in view of the fact that these activities are not included in the functions and powers of the company providing public services. In addition to this, there is no legal provision currently in force that would ensure the accessibility (accessibility or publication) of the personal data of persons carrying out trade union activities. Although Section 2(1) of Act CXXII of 2009 on the Economical Operation of Business Organisations in Public Ownership (Public Company Operations Act) classifies the data listed therein as accessible on public interest grounds and also provides for their publication, this, however, does not automatically render other personal data processed by organisations or companies discharging public duties accessible on public interest grounds. The requested data may be made accessible in a cumulative form or in a manner unsuitable for the identification of persons. (NAIH-3353/2022)

[1] https://naih.hu/dontesek -infoszab -allasfoglalasok?download=504:allasfoglalas -az -orvosetikai -eljarasok -transzparenciajara vonatkozo -javaslatrol

[2] Statements NAIH/2017/1936/5/V and NAIH/2017/1936/10/V

[3] https://naih.hu/dontesek -infoszab -allasfoglalasok?download=494:allasfoglalas -konzultacio -a -kozfeladatot -ellato -szerv -altal foglalkoztatottakra -vonatkozo -adatok -kore -es -kozzetetel -targyaban -infotv -1 -melleklet -iii -resz -gazdalkodasi -adatok -2 -pont

8. “Post-Covid”

The Authority continued to receive notifications related to epidemic (vaccination) data in 2022; also, several inquiries launched in 2021 were concluded in this year. Below, we provide information on these.

8.1. Consultation with the National Public Health Centre (NNK)

In October 2022, the leaders of NNK presented the systems, processes and related problems in connection with the registration of infection data in the course of a personal consultation.

Section 15 of Act XLVII of 1997 on the Processing and Protection of Healthcare Data and Related Personal Data and the provisions of Decree 1/2014 (I. 16) EMMI on the order of reporting infectious diseases provide a clear legal framework for the collection of epidemiological data on infectious patients. However, any conclusion to be drawn from the raw set of data or answering any professional questions arising and/or data requests is only possible after the appropriate validation and analysis of the data, which includes the correction of accidental errors and the comparison of individual data fields with the help of computer programs in order to identify conflicting information.

Calling upon a healthcare provider to correct or supplement data after their recording is not warranted either medically or epidemiologically because their primary task is to provide patient care. The infectious patient reporting subsystem of the National Professional Information System for Epidemiology (hereinafter: OSZIR) was developed for a low number of cases. The more than sevenfold increase in the volume of data entering the epidemiological system could not be handled by the methods used previously. There was no time to prepare the system in 2020 for the mass processing of the data of the Covid-19 epidemic, thus IT problems arose from September 2020. The fact that the same staff member had to carry out validation as well as contact research and issue obligations constituted additional difficulties. The use of OSZIR requires special knowledge and the recruitment and training of additional staff members was not successful during such a short period of time. The path of infection data is complicated. The infectious patient notifier (family) doctor or the staff member authorised to notify infectious patients from hospitals may report to the infectious patient reporting subsystem of OSZIR. The district epidemiologists competent according to the place of contracting the disease create disease cases from the reports (a form containing the data of the given disease). Patients are identified using a unique identification code generated on the basis of the name and the TAJ (Social Security) number. If laboratory testing substantiates Covid19 infection, the epidemiologists of the district public health office classify the suspicious case as verified after receipt of the laboratory finding and collate the clinical data with the microbiological data. NNK staff check the reports and the entries concerning epidemics. If they raise a question or note an error or deficiency, it is then indicated to the notifier who is able to correct the error or supplement the missing data on the message board. Logical validation (for instance, if a case of the same patient was notified in several places) and annual validation (for instance, if a case was incorrectly closed, or the removal of a patient warranted because of recovery was omitted) are carried out on the data. Annual closure takes place on 1 March of each year, when all the cases of the previous year are closed. The data in the NNK system are also compared with the post mortem certificates received by the Central Statistics Office; the final data which may be regarded as valid from the reports of the preceding year are made available in May.

Data concerning vaccinations are recorded in a separate interface in the Electronic Healthcare Service Area (hereinafter: EESZT). This means that data on infected persons and data on vaccination are located in two different databases. (In the meantime, a so-called Master Table was generated from the two databases.) The system includes only the location of the vaccination, not the place of residence. There was no time to enter additional data, the primary objective was a rapid recording of the data. One of the fundamental problems and source of errors of data entry was that the system did not provide an opportunity for the automatic entry of the patient’s personal data - i.e. entering these data from the accurate and creditworthy healthcare database already available through an interface. Thus, the physicians and healthcare providers admitting the patients had to key in the data manually, increasing the errors arising from erroneous data entry. The ratio of erroneous data concerning the cause of death exceeded 30 percent, and only the data on the dead are validated, hospital care data are not. Another important aspect is that it is not possible to isolate, if a hospital patient is also Covid-19 infected, but the reason for his/her hospital care is not this, as the Covid-19 infection would not otherwise require hospital treatment. In individual cases, the physician providing care could sort these out, but at other times this is not professionally possible, and this may change also from hour to hour for any patient.

Information notified concerning the location of care is available in the OSZIR Infectious patient reporting subsystem; however, NNK is unable to generate the data concerning how many of the Covid patients requiring hospital care were vaccinated and what vaccine was given to these patients. Such a question can only be answered if all the healthcare providers having reported infectious patients in the period under study are called upon to check every single case and correct the information concerning the location of care. A typical example is when the family physician reports a confirmed Covid-19 infected patient notifying him, who is quarantined at home, and selects the information to be entered in the OSZIR data field accordingly. At the same time, it may happen that the patient is taken to hospital in a few days’ time, and the family physician is unaware of it. Similarly, patients admitted to the emergency wards of hospitals diagnosed with Covid-19 infection is reported by the hospital characteristically as under hospital care, although the patient may be allowed to go home after a few hours of observation. In such cases the healthcare provider is able to provide valid information after consulting the patient and his/her family, and studying the .pdf documents one-by-one accessible in EESZT.

The IT refurbishment of OSZIR is in progress, more automatic debugging opportunities will be available and it will be easier to process the data, nevertheless the need for human factor validation will remain. NNK emphasized that no organ has accumulated data based on the relevant personal data as to how many Covid-19 infected patients were treated in hospitals, how many patients’ breathing was assisted and how many Covid-19 patients were treated in intensive care units.

8.2. NAIH’s inquiries

In the inquiries related to Covid-19 data, most of the time, the Authority had to check whether the issue of the requested data indeed required the generation of new data and whether the new data could in fact be generated simply and quickly.

A person requested data from the National General Directorate of Hospitals (OKFŐ) with regard to those newly infected, those treated in hospital with coronavirus infection and those dying of coronavirus infection, asking what percentage of them was vaccinated with one and what percentage with two vaccines, however, OKFŐ rejected the data request. The Authority examined whether OKFŐ had data in its possession, of which the requested data could be generated using simple mathematical or other operations not constituting substantial difficulty (such as aggregation). OKFŐ explained that there were no legal requirements, which would place an obligation in it to generate the data in the structure according to the criteria given by the person requesting the data. According to the information they provided the requested data were available in EESZT as follows:

newly infected: available (Annex 1 to EESZT)
persons treated with coronavirus infection in hospital: partially available. From the availability of positive Covid-19 test results and the commencement of inpatient care, it can be deducted only conditionally that any given citizen was admitted to hospital with coronavirus disease. This can be stated for certain only if the governing attribute “main diagnosis warranting care” was completed by the healthcare provider entering the data when sending in the inpatient care event. Citizens having positive coronavirus test results 30 days prior to or within 15 days after the commencement of inpatient care are regarded as hospitalised with Covid-19 infection. Screening is complicated by the fact that while EESZT stores data at the level of organisational units, hospital admissions can only be interpreted at the level of institutions. Because of this and because of the frequent relocations within a hospital occurring in more severe cases of infection, a formula has to be applied to determine the commencing and closing dates based on the given institutional care.
deaths related to coronavirus infection: partly available to the extent it can be unambiguously established that the person was admitted because of Covid-19 infection.

OKFŐ also emphasized that the various data types concerned in the data request could be generated in the EESZT system using database operations only, specified by an expert, whose full lead time is 56 work hours. OKFŐ provided detailed information on the database operation specified by an expert and their time requirement. The Authority established that the generation of the new data exceeds the level of simple IT mathematical or other operations not constituting substantial difficulties, hence the rejection of the data request was lawful. (NAIH193/2022)

A Member of Parliament requested the vaccination data of Covid patients in hospital care, those requiring treatment by ventilator, and deceased Covid patients from EMMI, NNK and the Prime Minister’s Office. NNK has an obligation to collect data only with regard to those deceased; NNK has vaccination data (not in the OSZIR database), which may be linked to this, but compiling the answer by comparing these databases would have been possible only by generating a new database. NNK does not collect data on those requiring hospitalisation or treatment by ventilator.

In addition, the Authority examined what data NNK was required to transfer every week to the pandemic- evaluation register based on Section 2(3)(a) of Government Decree 333/2021. (VI.10.) in force at the time of making the request. The obligation to forward data applied only to the data of the PCR findings and not to the place of treatment or those requiring hospitalization. With respect to hospitalized Covid patients and those requiring treatment by ventilator, the Authority accepted NNK’s justification and established that in view of the fact that NNK did not have the requested data, there was no infringement when it rejected the request for these data. The Authority also requested information from EMMI about the statistical analyses it received from the National Health Insurance Fund Manager (NEAK) pursuant to Section 2(2) of the decree. According to the provision referred to, NEAK in collaboration with NNK, OMSZ and OKFŐ produces statistical analyses supporting vaccination strategy, which it sends inter alia to the minister for human resources on a weekly basis. The Authority has found that the questions in the data request cannot be answered from these analyses, because they concerned the vaccination data of those infected by Covid in general, and did not contain data concerning the hospitalization, mechanical breathing support and death of the infected patients. Because of this, the Authority accepted EMMI’s justification and established that in view of the fact that EMMI did not have the requested data, there was no infringement. The Authority found the same with regard to the Prime Minister’s Office for the same reason. Although the data request did not concern NEAK, the Authority also requested information from NEAK, which explained that it only had data on deaths in publicly funded hospitals in Hungary , but it failed to confirm, despite repeated requests, whether the requested data are available to NEAK concerning those treated and deceased in publicly funded hospitals in Hungary. (NAIH-2597/2022)

In another comprehensive inquiry, a person asked NNK, OKFŐ, the Prime Minister’s Office and the Semmelweis Medical University (hereinafter: University) what percentage of those newly infected by coronavirus, those hospitalised with coronavirus infection, those on ventilators and those dying in relation to coronavirus disease were vaccinated and unvaccinated (in a chronological breakdown, processed by the organs contacted). The Prime Minister’s Office declared that it did not have the requested data, NNK explained that only Covid-19 infected persons associated with nosocomial epidemics (i.e. those infected in hospital) are included in the judgment referred to by the Authority (Budapest Municipal Court 2.Pf.20.641/2021/4/II.) and in the Excel table also mentioned by the Authority, whereas the data request concerned those hospitalised with Covid-19 infection and whether they were vaccinated.

Concerning the vaccination of those newly infected with coronavirus and those dying in relation to coronavirus disease, NNK informed the Authority that it validated the data received in the meantime and using mathematical operations and by sorting and comparing the data, it generated the requested data and sent the answer to the notifier. This was possible because after the validation of the data received in the OSZIR system, NNK created another register, which contained the requested data. The University informed the Authority that the Clinical Epidemiological Working Group did not have the requested data in an aggregated format with regard to the four university clinics and data were not collected for such a purpose. The requested data exist in the MedSolution system as meta data, but their aggregation according to the data request is not done with respect to the University as neither legal regulation, nor any other obligation to provide such data exists. The University explained that the aggregation of the data in the system amounting to millions of records according to the parameters requested would require the custom development of the MedSolution system, certainly demanding substantial expenditure, in addition the University - even after the development - could provide the requested data only in part with regard to its own institution. In the absence of such development, searching the data of several million records and their requested compilation manually is unimaginable as the University does not have the human capacity to do it. According to the University’s statement, the Working Group did not possess the data, of which the requested data could be generated. The Authority established that the University did not commit an infringement. (NAIH2597/2022)

In another data request submitted to NNK, the number of coronavirus infected persons was requested between 1 January 2021 and the day of providing the data, and of this, the number of those having one, two or three vaccinations in a daily breakdown. NNK stated that the requested data were accessible to the public on the website koronavirus.gov.hu and also informed the notifier that the controller is not under an obligation to collect data, or to produce qualitatively new, other data or series of data by comparing the data it processes. The Authority found that NNK violated the notifier’s right to having access to data of public interest when it failed to provide the exact accessibility of the requested data, and directed the notifier to a central website instead. Furthermore, it is not clear from the answer given to the data request which of the data were published in the public website mentioned and which are the data which would have to be generated. NNK issued the requested data, but also noted that the requested data were generated exclusively after the NAIH’s call using mathematical and IT operations through the comparison of databases generated as a result of the validation of the data. In addition, NNK informed the notifier that the issued data alone, by simple comparison, were not suitable for drawing conclusions concerning the dynamics of the epidemic or the efficiency of the vaccines. (NAIH-5254/2022)

9. The transparency of municipalities

In general, citizens come into direct contact with organs performing public duties and managing public funds at the level of the municipality of their own settlement, so accessibility to the operation, performance of tasks and financial management data of these organs is of outstanding importance.

9.1. The accessibility of criminal data

The accessibility of criminal personal data is a recurrent problem [see Constitutional Court Decision 3177/2022. (IV. 22.) AB presented], and this was also discussed in last year’s report: the fact in itself that a criminal procedure is in progress in relation to a case does not exclude the accessibility of all of the documents. Based on judicial practice, the body of representatives of a municipality may put cases on its agenda, in relation to which a criminal procedure is in progress; however, in view of the provisions of Section 27(2)(c) and (g) of the Privacy Act, the preliminary opinion of the investigative authority, the prosecution or the court taking action in a criminal case (depending on the phase in which the criminal case is) has to be obtained before the session with regard to the pending criminal procedure, which data of the case are subject to the conditions excluding accessibility ; also appropriate organisational and technical (data security) measures have to be taken during the preparation and holding of the meeting to ensure that the data indicated by the organs taking actions in the criminal case are not made accessible to the public. Following anonymisation depending on the answer of the organs contacted, the data may be promulgated while respecting the requirement of purpose limitation in processing. (NAIH-4668/2022)

The complainant - the managing director of a business organisation performing municipal public duties at the time of the processing objected to - initiated the Authority’s investigation because he objected to several Facebook entries reporting a scandal in which the discovery of the unlawful acquisition of his secondary school certificate and a criminal case launched in relation to this was in the focus. The Authority established that the controllers complained against lawfully processed the disclosed criminal personal data, while discussing a public affair in public, exercising their freedom of expression with a view to informing voters. At the same time, however, the Authority classified the disclosure of the place of birth and the photo of the complainant depicting private activities as an infringement because the former does not qualify as personal data accessible on public interest grounds, while the latter depicted the complainant while acting as part of his private life. (NAIH-6968/2021)

According to another complaint, a business organisation fully held by the municipality of a city with county rights, which manages public funds and performs public duties, failed to fulfil the request for data of public interest concerning the organisation’s transparency report because a criminal procedure was in progress in relation to that report. When contacted by the Authority, the police station taking action in the criminal case stated that the criminal procedure was no longer in progress when the data request was submitted, thus access to the document could no longer violate the public interest in conducting the criminal procedure. (NAIH-1099/2021)

9.2. Self-governments of ethnic minorities

Also as part of the KÖFOP research project, the Authority studied and analysed the enforcement of freedom of information in relation to the self-governments of ethnic minorities; the positions of the professional managing organs as well as of the government offices were solicited and the Deputy Commissioner for Ethnic Minorities was also involved in the comprehensive inquiry. Summarising the investigations of specific individual cases, the signatories of the joint report^{^[1]} consider it appropriate that the municipal executive and the staff of the mayor’s office should actively cooperate in the mandatory electronic publication - i.e. the publication of the relevant documents in the appropriate publication units - and in the fulfilment of requests for data of public interest. The performance of these tasks presupposes mutual, efficient and ongoing cooperation regulated by an agreement based on consensus as well as by internal rules. It is also necessary that the legislator expressly provide, among the mandatory content elements of the administrative contract, for the tasks promoting the transparency of selfgovernments of ethnic minorities and their distribution in Section 80(3) of Act CLXXIX of 2011 on the Rights of Ethnic Minorities (hereinafter: Ethnic Minorities Act). In the future, informative and case management processes supporting the fundamental work of the self-governments of ethnic minorities, including the development of information and training materials and, in this context, the organisation of personal and online training courses which similarly to the representatives of municipalities provide adequate knowledge and information to the representatives of the self-governments of ethnic minorities with a view to the transparent operation of the selfgovernments, will have major importance. (NAIH-8317/2022)

The municipal executive of a municipality, which also has an ethnic minority self-government, invited the position of the Authority concerning the person of the controller in relation to a request for data of public interest (aimed at accessing data on the emoluments of representatives, employment on public works, contracts of assignment and other wage-type payments). Taking the definitions of the Privacy Act as the point of departure, in this case the ethnic minority self-government is the organ which, in the course of its operation, generates data of public interest and data accessible on public interest grounds and it follows that the ethnic minority self-government is responsible for the data. The Authority established that the data to be accessed through the request for data of public interest were processed by the various organisational units (organisation and administration, compliance, finance, audit and internal supply) of the mayor’s office, even though they relate to the operation of the ethnic minority selfgovernment. As the performance of public tasks by an ethnic minority self-government is affected under the professional supervision of the municipal executive through the various organisational units of the mayor’s office, according to the position of the Authority, the fulfilment of the requests for data of public interest is also the task of the mayor’s office managed by the municipal executive. (NAIH-166/2022)

Section 103 of the Ethnic Minorities Act states that representatives of the ethnic minority self-governments have to make statements of assets in accordance with Annex 2, to which they have to attach the statements of assets of their spouses/life companions and children living in the same household in accordance with the Ethnic Minorities Act. Pursuant to the second sentence of Section 103(3) of the Ethnic Minorities Act, the statement of assets of representatives of ethnic minority self-governments is accessible with the exception of identification data provided for audits, whereas the statements of their relatives are not. In view of all this, the statement of assets of representatives of ethnic minority self-governments qualify as accessible on public interest grounds, they are accessible to anyone by way of request for data of public interest and can be published in organ-specific publication schemes provided that the identification data needed for checking the statement of assets and the protected data are locked. (NAIH-1939/2022)

9.3. The transparency of statements of assets

Interest for the statements of assets of mayors and representatives of municipalities, as well as self-governing bodies of ethnic minorities continue to be keen^{^[2]}. The statements of assets of mayors and municipal representatives are data accessible on public interest grounds, which must be made accessible to anyone by way of data request. (NAIH-6476-2/2022)

Because of the high number of data accesses based on individual requests, several municipalities wished to make decisions on the publication of these data in organ-specific publication schemes and therefore, in compliance with

the legal requirement, solicited the opinion of the Authority. The Authority recommends the enactment of municipal decrees concerning the transparent operation and the publication of organ-specific publication schemes because this is a case of so-called mandatory data processing ordered by the controller (in this case the body of representatives). Pursuant to Section 5(3) of the Privacy Act, the type of data, the purpose and conditions of processing, the access to such data, the controller and the duration of the processing or the regular examination of its necessity shall be specified by the act or local government decree ordering mandatory processing, the consent of the data subject is not and cannot be necessary. The data types, which constitute the publication units of the general publication scheme mandatorily published, need not be included in the organ-specific publication scheme. The data in the statement of assets qualify as personal data accessible on public interest grounds, thus the processing of these data, including their publication, is possible only for the period specified in the act ordering the processing, i.e. for one year after the statement of assets was made. The personal data of relatives have to be deleted from the published statements of assets, because they cannot be accessed by people requesting to inspect them. Legal regulation still does not provide an opportunity for the controller to specify a retention or archiving period for the published statements of assets, the term applicable with regard to retention is: “the previous status is to be deleted”. (NAIH-4929/2022., NAIH-6903/2022)

In an inquiry, the mayor’s office concerned only partially fulfilled the request for data of public interest for accessing the statements of assets for 2020 of the municipal representatives and the deputy mayor functioning under a community mandate because – apart from the statement of assets of the deputy mayor functioning under a community mandate – the data desired to be accessed were published on the official website of the municipality. The Authority found that three of the published statements of assets revealed the protected personal data of close relatives. The municipal executive in charge of the office rejected the possibility of creating an organ-specific publication scheme “short of human resources”. (NAIH-2805/2021)

9.4. Additional data to be published in the organ-specific publication scheme

Following the entry into force of the local decree on the creation of an organ-specific publication scheme, in the case of the subsequent publication of contracts included to the publication unit and in the course of the preparation of future contracts, the Authority recommends that the municipality inform the contracting parties of its intent to electronically publish such contracts in full detail, including the range of data, the mode, place and duration of publication, , and that the data subjects are duly informed.

To publish invoices accepted by the municipality and its institutions, it is also necessary to create an organ-specific publication scheme. In the course of publication, it is necessary to review the data content of the invoices and the data, which are not of public interest or accessible on public interest grounds, have to be anonymised; the review has to extend to the examination of purpose limited processing with regard to the data content of the invoices received. The Authority disagrees with the publication of municipality decrees, decisions of the body of the representatives, public procurement procedures launched and the audit reports carried out at the municipality in organ-specific publication schemes because these sets of data belong to the publication units of the general publication scheme, whose publication is mandatory. (NAIH-6903/2022)

9.5. Financial management data

The complainant initiated the investigation of the Authority with regard to rejected data requests, in the case of which business organisations held by the municipality failed to provide data of public interest on contracts, which they concluded with a business organisation held by the incumbent mayor and his wife. Under the data principle, according to the consistent practice of the Authority and the courts, the data of the requested contracts regarded as business secrets must be examined one by one and established exactly which are data qualifying as business secret, whose disclosure would give rise to disproportionate violation of interest. As a main rule, public interest in the accessibility of the financial management of public funds and state or municipal assets precedes the protection of business secrets. The automatic declaration of the entire document as a business secret is not acceptable. It is necessary to substantiate with reference to specific facts which data of the requested documentation and why are subject to the Act on Business Secrets. Within this, the facts, data and compilation related to the business activity concerned, which are to be protected, must be accurately indicated together with the technical, commercial and organisational knowledge, experience or their compilation of value are contained in the documentation requested to be issued. Furthermore, the specific financial, commercial or market interests, which would be violated by access to the data, would have to be named. In addition, it is also necessary to consider which of these data regarded as business secret are the ones whose disclosure would cause disproportionate injury to the holder of the data. (NAIH4236/2022)

The complainant wished to access data related to the use of a property held by the municipality subject to local protection. Following the calls of the Authority, the controller municipality made the contracts available to the complainant, but the information related to the financial conditions and the names of persons administering the transaction - representatives of business organisations, law offices - were blocked. The Authority called the attention of the municipality to the fact that the data of business organisations and undertakings entering into business relationship with the municipality and the data of the law office, as well as of the person representing it. are data of public interest or data accessible on public interest grounds. As the municipality failed to respond to the calls of the Authority, a public report was issued on the case. (NAIH-221/2022)

In its response to a consultation request on sending the draft budget supporting decision-making prepared as an internal work document to a third person by a municipal representative, the Authority explained that based on the Privacy Act, information which genuinely constitutes part of the decision-making process, whose disclosure could jeopardise the success of implementation or would allow individual market agents to gain unjustified advantage can be excluded justifiably from accessibility as decision supporting data. At the same time, restriction of accessibility of decision support data cannot aim at rendering preparation for decision-making untransparent, to the contrary, its purpose is to allow the organ performing public tasks to carry out its internal decision-support activities free of unauthorized influence. The head of the organ processing the data, i.e. the municipal executive, may allow access to the draft budget prepared as an internal work material as decision-support data by a third person; the municipal representative may not have lawfully forwarded it to a third person without the permission of the municipal executive. (NAIH-2945/2022)

Pursuant to Section 27(3)-(3a) of the Privacy Act, in the case of a financial or a business relationship with a municipality, the name of the contracting party is definitely data accessible on public interest grounds. Natural persons who rent property held by a municipality in view of their welfare situation or enter into some other type of contract related to the utilisation of assets or the use of municipal funds taking their welfare situation into account cannot be regarded as persons in a business relationship with the municipality. In view of the fact that they use public property or public funds, their personal data other than their names and the fact of the legal relationship included in the contract do not qualify as data accessible on public interest grounds.

9.6. Data accessible on public interest grounds, personal data

The fact of unworthiness established about a municipal representative or mayor is data accessible on public interest grounds because it is directly related to the performance of their public duties. The municipality’s body of representatives has to make a decision on this at a mandatorily closed session, and as under Section 52(3) of the Municipalities Act, the decision of the body of representatives made in a closed session is accessible to the public, hence by the publication of the decision on unworthiness in the general publication scheme, the municipality meets its obligation to provide information. At the same time, if the cause resulting in the fact of unworthiness is established not in relation to the performance of public duties related to the position of a representative, such data continued to be personal data to be protected and neither the details of the procedure, nor the specific cause qualify as data accessible on public interest grounds. (NAIH-7194/2022)

The municipal executive of a mayor’s office asked whether the minutes of a public meeting of the body of representatives could record the representative’s remarks, in which - in relation to the subject matter - he named the business organisation with which the municipality concluded a contract and the fact that it was subject to distraint by the National Tax and Customs Administration. Authorised by an act, the National Tax and Customs Administration publishes numerous data within the notion of tax secret on its official website. According to Section 125 of the Taxation Act, the tax authority keeps public records on its website with regard to data specified in Section 266(d) and publishes inter alia the names and tax numbers of taxpayers with reference to erasure against whom the National Tax and Customs Administration conducts a distraint procedure, from the commencement of the distraint procedure until its completion. The full transparency of the public trade register data of companies, including business organisations, ensures accessibility to data significant for the protection of creditors, thus the answer to the question asked by the municipal executive is clearly: yes. (NAIH-419/2022)

Municipal representatives obtain their mandates enjoying the confidence of the majority of voters, this underlies their responsibility for the entire municipality, including the representatives’ rights and obligations. The quality and effectiveness of the work of the municipality depends fundamentally on the work of the municipal representatives, so exercising the rights of representatives is also an obligation: to appear, to prepare, to ask questions, to make comments, to vote responsibly, to comply with the confidentiality obligation, to maintain contact with voters and to behave in a manner worthy of public activities. Thus, the representatives’ votes cast on the individual items of the agenda at a public session of the body of representatives are data generated in relation to their discharge of public duties and are data accessible on public interest grounds, the votes cast by roll call can be displayed on the display showing the results of the vote. (NAIH-6902/2022) The accessibility of the votes of representatives cast in private sessions is restricted by secret ballot according to Section 18(4) of the Municipalities Act. (NAIH-5501/2022)

A representative made a video and sound recording using his mobile phone prior to the opening of the session of the body of representatives and shared the recording in a public Facebook group. The complainant explained that persons not qualifying as public actors (municipal executive, deputy municipal executive, heads of the departments of the mayor’s office) also participated in the session of the body of representatives, and the purpose of the controller was to discredit the session of the body of representatives and of the municipal representatives and make them look ridiculous. As the session could not be opened on account of obstruction by representatives, no information was given that could qualify as data of public interest at the event. According to the position of the Authority, the behaviour of the members of the body of representatives, which prevented the body of representatives to work, is information of public interest for a wide range of voters. The transparency of municipal operation means not only accessibility of the decisions made, but also the transparency of the decision-making processes. Participation in a public session of the body of representatives in an official capacity qualifies as action in public life according to Section 2:48(2) of the Civil Code and there is no need for the consent of the data subject for recording it, using the recording or streaming it. In addition to the municipal representatives and the mayor, the civil servants performing their public duties at the public session of the body of representatives participating in an official capacity are also to be regarded as public actors, who are obliged to tolerate wide-ranging publicity concerning their activities related to the performance of their public duties. (NAIH-7570/2022, NAIH-6892/2022)

In a case related to the amendment of the local building code of a municipality, the Authority found unauthorized processing because of the publication of the decision of the body of representatives on residents’ request submitted for the review of the settlement development concept and the settlement planning instruments, and called upon the municipality to remedy the infringement found. With respect to proposals made within the framework of partnership reconciliation with names and other personal data, it is not the citizen who submitted the proposal that is relevant, but the content of the proposal is important for the municipality’s decision-making. Because of this, the publication of the identity and personal data (name, address, other identification data) of the person making the proposal cannot be regarded as necessary either when considering the proposals, or when developing the final decision or when publishing the decision. (NAIH-5736/2022)

In his complaint, the complainant objected to the data processing practice of the evaluation procedure of applications to the post of head of institution invited by one of the national self-governments of ethnic minority. In contrast to the complaint, the Authority established that the expert committee lawfully involved in the evaluation procedure of applications for the post of head of institution carried out its work in a private session excluding the public. Applicants were heard in an alphabetic order one by one, which was substantiated by the minutes of the committee’s meeting. According to the Authority’s position, the professional opinion provided by the expert committee was based on legal authorisation and Article 6(1)(e) of the General Data Protection Regulation can clearly be indicated as the legal basis of processing. (NAIH-3429/2022)

[1] https://naih.hu/dontesek -infoszab -allasfoglalasok?download=575:a -nemzeti -adatvedelmi -es -informacioszabadsag -hatosag elnoke -es -a -magyarorszagon -elo -nemzetisegek -jogainak -vedelmet -ellato -biztoshelyettes -kozos -jelentese -a -nemzetisegi onkormanyzatok -mukodesi -transzparenciajanak -vizsgalata -targyaban

[2] https://naih.hu/dontesek -informacioszabadsag -tajekoztatok -kozlemenyek?download=560:tajekoztato -a -vagyonnyilatkozati rendszer -valtozasairol

10. Freedom of expression - on-line transparency

A complainant objected to being included in a publication of an NGO dealing with events suspicious of corruption. In his view, the publication was on the one hand based on untrue articles and on the other hand it placed the collected information into a new context and drew untrue conclusions from them. The controller informed all the data subjects of the processing prior to its commencement. The information provided said that the primary legal basis of processing was Article 6(1)(e) of the General Data Protection Regulation because the petitionee functions as a foundation for public benefit, its goal is inter alia to map out problems of corruption, informing the public, checking whether expectations concerning transparency were met and facilitating transparency, particularly in view of the use of public funds. Publishing the publication serves this purpose and therefore constitutes an activity of public interest. Secondarily, in view of the practice of the Authority, the petitionee also indicated Article 6(1)(f) of the General Data Protection Regulation and also carried out a balancing test in this context. First and foremost, the Authority stated that data protection supervisory authorities will not and may not take action in cases subject to the competence of civil courts and the right to the protection of personal data cannot become an instrument of restricting opinions hurtful to the data subjects and (perceived to be) unlawful from the viewpoint of civil law. Accordingly, the Authority did not and could not examine the petitioner’s allegations concerning untruthfulness and defamation. At the same time, by indicating two legal bases for the same processing operation, the controller violated the principle of transparency. The Authority accepted the legitimate interest of the controller as the legal basis of processing with the provision that although the petitionee acted superficially in assessing the circumstances of the petitioner and in the balancing of interests and did not do everything in order to examine the consequences of processing, particularly those concomitant with accessibility, with regard to the individual life situation of the petitioner, the deficiencies exposed in relation to the balancing test did not reach the level enabling the establishment of an infringement in view of all the circumstance of the case and the purpose of processing. In this regard, the Authority took into account in particular that the petitionee carries out activities of public benefit as an NGO. Furthermore, the Authority established an infringement of Article 21(4) of the General Data Protection Regulation, because, in its information, the petitionee listed the right to object in the same sentence as the other rights of data subjects, mentioning only that a data subject has a right to object, although pursuant to the General Data Protection Regulation, the controller has to display the information related to the right to object clearly and separately from all other information. (NAIH-1047/2022)

In another case, the complainant objected to the fact that the information displayed on the datasheet of the oneman law office bearing his name included data referring to negative credit events on a company information website. In the course of the procedure, the Authority had to decide whether the data of the one-man law office qualify as the personal data of the lawyer. The Authority based its decision on the fact that in the event of a legal person, such as the law office, the legal person and the natural persons behind it can be clearly delineated and although a natural person takes action by necessity on behalf of and in the interest of the legal person, this does not warrant classifying legal facts related to the legal person as part of the private sphere. Doubtless, the relationship between the natural and the legal person in the case of a one-man law office is much closer, yet even in this case the subjects of the law are clearly separate, the rights and obligations of the law office can be clearly separated from those of the member of the law office as a natural person. The Authority also referred to Recital (14) of the General Data Protection Regulation, which clearly states that the Regulation does not cover the processing of personal data, which concerns legal persons. In view of this, the Authority rejected the petitioner’s petition. (NAIH-740/2022.)

11. The transparency of environmental data

The accessibility of environmental information is frequently restricted with reference to the fact that the person requesting the data is not a client in the procedure, hence he cannot have access to the data of public interest he wishes to know. The Authority consistently established the primacy of the Privacy Act as a source of law in these cases, and warned that it is improper practice to qualify requests for data of public interest as requests to inspect them and thereby restrict the transparency of environmental information.

A complainant requested a permit to cut down a tree and the application for the permit from a municipality, which justified the rejection of the request stating that “the decision is an individual case of administration containing personal data” and the complainant did not meet the legal conditions of inspection as a third person. The Authority referred to judgment P. 20.997/2019/8 of the Budapest Municipal Court, according to which “Section 33(1)-(4) and (6) of the General Administrative Procedures Act referred to inspection of documents, but the decision according to paragraph (5) is accessible to anyone without restriction”. The decision containing the permit to cut down a tree qualifies as environmental information according to Section 2(c) of Government Decree 311/2005. (XII. 25.) on the order of public access to environmental information (hereinafter: Decree) as a measure related to the environment taken to protect the environment and its elements. Upon the Authority call, the municipality sent the requested decision and application to the petitioner while blocking the personal data. (NAIH-1948/2022)

Also in the area of access to environmental information, one of the most frequent reasons of rejection is reference to supporting decisions pursuant to Section 27(5)-(6) of the Privacy Act. It is a general problem that the holders of the data maintain automatically the restriction of access to data supporting decision-making even after the decision has been made, although by then the main rule is the accessibility of the data. In the public procurement procedures concerning the development of Lake Fertő Aquatic Centre I (Procedure 1) and the development of the Lake Fertő Aquatic Centre II (Procedure 2), the draft contracts demanded the use of an Llc specified by name to perform the monitoring tasks. The notifier requested the tourism development non-profit company (hereinafter: Zrt.) to provide the details of the procedure concerning the selection and use of the Llc. According to the Zrt., the data of the procedures in progress are data supporting decision-making and thus they are not accessible until the selection of the winning bidder. At the time of the data request, Procedure 1 was already closed, hence the Zrt. incorrectly referred to Section 27(5) of the Privacy Act. Procedure 2 was still in progress at the time of the data request. Despite this, the Authority did not accept the Zrt.’s reference to Section 27(5) of the Privacy Act, because the specification of the content of the public procurement documentation also qualifies as “decision”, including that the draft contract constituting a part of the documentation named the Llc. as performing monitoring. The data supporting the decision to select it and the public procurement document - as the decision on launching the public procurement decision was already made and the announcement of the procedure was already published - are accessible to the public as a main rule. The Zrt. failed to accurately specify the legal regulation that prohibits the issue of public procurement documentation in the event of a request for data of public interest and in what way the accessibility of data concerning the selection of the company for monitoring and of the public procurement documentation would jeopardize the closure of the procedure - i.e. its justification did not exceed the level of generalities. When carrying out the balancing test based on Section 30(5) of the Privacy Act, according to the Authority’s position, the fact that the data concerning the selection of the company for monitoring qualifies as environmental information based on Section 2(c) of Government Decree 311/2005. (XII.25) is of particular importance. The requirement of monitoring serves the protection of an area, which is part of world heritage, it is a protected nature conservation area, it is part of the Natura 2000 network, it is a special bird protection area and a natural conservation area of outstanding importance, there is therefore an overriding public interest in the accessibility of the data concerning the selection of a company doing it. (NAIH-4719/2022)

An NGO submitted a data request to the National General Directorate of Water Management (hereinafter: OVF) in relation to the Lake Fertő Aquatic Centre. The subject matter of the data request was a letter by the regional water management directorate containing a statement that the final state planned by the contractor would enable the performance of their specialised tasks in the beach zone. In OVF’s view, if it had to presume in all its internal correspondence that it was likely to come to the attention of a third party, the communication would cease to be able to transmit certain data, facts and statement, which would significantly hamper the activities of the organs of public administration or even render it impossible. The Authority does not doubt the public interest in restricting the accessibility of internal communications among organs of public administration. However, the fact whether the organ’s decision was already made or not, is of fundamental importance in restricting public access. Based on Section 27(6) of the Privacy Act, they have to assume that even internal correspondence could be accessible to the public if they cannot substantiate why they believe that access to their internal correspondence would jeopardise the lawful functioning of the organ or the performance of duties without undue external influence. Future decisions will also have to be accurately specified and they have to be made within the foreseeable future, so the Authority did not accept OVF’s statement that the requested letter “would qualify as a document serving as the basis for responding to any other requests from citizens”. (NAIH-3894/2022)

Another notification objected to the fact that the protocols and testing data from the testing of sub-surface waters by a company and the testing of the monitoring wells located on one of the premises of the company submitted to the Budapest Disaster Management Directorate (hereinafter: Directorate) and the documents of the authority investigations of the company’s premises by the Directorate were not issued. According to the information provided by the Directorate, the requested data were uploaded to the OKIR system. Similarly to the notifier, the Authority also experienced that there was no possibility to query the data because the database “was under development”. The Directorate also explained that with regard to the data uploaded to the OKIR system, the controller according to Section 3(9) of the Privacy Act was not the Directorate, hence it was unable to forward data from the database. Pursuant to Section 2(a) of the Regulation, the results of sub-surface monitoring qualify as environmental information. The Privacy Act does not specify as a condition of fulfilling data requests that the organ performing public tasks determine the purpose of processing the requested data. Furthermore, neither does the convention on access to information, public participation in decision-making and access to justice in environmental matters adopted in Aarhus on 25 June 1998 (promulgated by Act LXXXI of 2001) subject the issue of environmental information to a condition of the same content specified in Section 3(9) of the Privacy Act. The Directorate sent numerous monitoring documents to the Authority, hence these data were processed by the Directorate and were obviously generated in relation to its activities, so they have to be issued to the person requesting them, while blocking the data to be protected in view of the fact that they were not accessible from the public source indicated. Information about the data does not replace the issue of the data. In relation to public access to the requested statements of the specialised authorities, the Authority explained that environmental information in general consists of objective data and facts, in the case of which – particularly once the decision was made – it is highly questionable whether their accessibility would frustrate the efficient implementation of the decisions or jeopardise independent and effective work by civil servants, free from undue external influence. The Directorate should have carried out the balancing test required under Section 30(5) of the Privacy Act and should have presented its criteria and results to the Authority. The Authority called upon the Directorate to send the monitoring results, the requested protocols and statements by specialised authorities to the notifier. However, the Authority terminated the investigation because in the meantime, the notifier also launched a court procedure. (NAIH-252/2022)

The purpose of a preliminary environmental study is to enable the environment protection authority to establish whether the implementation of the planned activity could have substantial impact on the environment, and according to this, to decide on additional requirements, or that a permit of implementation may not be issued. Access to the documents of the procedure is of particular importance in order that local residents are allowed to assess what kind of impact the planned activities will have on their living conditions.

The notifier submitted a data request concerning the details of an investment project which pursuant to Section 3(1)(a) of Government Decree 314/2005. (XII.25) on environmental impact assessment and the procedure for granting integrated permit to use the environment (IPPC permit) is subject to preliminary impact assessment. Based on Section 2(c) of Government Decree 311/2005. (XII. 25), the documentation of preliminary assessment contains environmental information. Based on point 3 of Annex 4 to the Government Decree, the data constituting business secrets according to the user of the environment will have to be designated as such and presented separately in the documentation of the preliminary assessment. The Authority found that if the company did not make use of this opportunity, it should have issued the entire document to the person requesting the data. In addition, the investment was financed and supported by the tender submitted under the call for proposal GINOP 7.1.2 -15, , so the Authority called upon the company – with success – to issue the data of the investment implemented through the use of public funds, which do not qualify as business secret, and the data, which do qualify as business secret, but whose disclosure would not give rise to a disproportionate harm to commercial activities, as well as the documentation of the preliminary assessment. (NAIH-2564/2022)

In a notification related to another preliminary assessment procedure, the publication practice of a municipality and a government office was objected to in a preliminary assessment procedure for a bicycle path. According to the obligation set forth in Section 3(2) of the Government Decree, the environment protection authority has to publish the application and its annexes electronically in the preliminary assessment procedure. Section 3(3) of Government Decree 314/2005. (XII. 25) requires that the environmental protection authority publish the name and office contact data of the case administrator in its announcement. The announcement of the environment protection authority included information stating that the competent municipal executive provides an opportunity for those concerned to exercise their rights of making statement and inspecting documents and if requested, provides detailed information during consulting hours. Section 3(4) of the Government Decree requires the full publication of the announcement of the environment protection authority, which the municipality failed to comply with and thereby infringed the notifier’s right to access data of public interest and also violated this right by failing to publish the announcement in Section II.10 of its general publication scheme. So, the notifier could not obtain information on the option of inspection in person as an alternative to unsuccessful electronic access, or of the contact data of case administrators, who would have been able to help him with downloading the documents. (NAIH-7524/2022)

12. Public education, higher education

Inquiry into a number of data requests addressed to School District Centres were put on the agenda, which were related to education-related social problems and debates. The most significant of this was the complaint of the Teachers’ Trade Union (hereinafter: PSZ) because of rejecting requests for data of public interest – how many colleagues working in public education and vocational education were on sickness benefit, for altogether how many days they were absent, how many employment relationships were terminated and of this, how many people retired or diseased between 1 January and 30 June 2021 – submitted to the Hungarian Treasury (MÁK), the 60 School District Centres and the 40 Vocational Training Centres. After 90 days, in their letters rejecting the data request, the contacted organs referred to not processing the data in the requested format, they could not be required to generate them, and they also made reference to Constitutional Court Decision 13/2019. (IV. 8.) AB, which stated that ”the controller is not under an obligation to collect data, or to generate new, qualitatively different data or data series by way of the comparison of the data it processes. Furthermore, the person requesting the data may not claim a right to have somebody else query the data, which are otherwise accessible.” In the course of its inquiry, the Authority found that a substantial part of the data requested by the notifier were processed by these organs and the Constitutional Court Decision referred to may not be applied as reason for rejection because the data need not be generated by physically searching one by one for sickness benefit documentation and death certificates and other documents as they have been available electronically and could be obtained from the databases and payroll programs processed by the employers with a simple IT operation. Moreover, in an earlier period, MÁK already provided the data indicated in the petition for inquiry to the notifier and the legal environment has not changed since then.

In this case, the Authority contacted and sent several calls and orders to the Klebelsberg Centre (KK), the National Office for Vocational Training and Adult Training, MÁK, the Ministry of Human Resources, the Ministry of the

Interior, the Ministry of Culture and Innovation, the Office of Education and to all the School District Centres and Vocational Training Centres of Hungary. In its response, the Ministry of the Interior explained in detail that the school district as employer processes the data related to the personal remuneration of teachers; with regard to sickness benefits, the school district as employer records the absence data of public employees (e.g. the fact of incapacity for work and its duration) in the centralised payroll system (KIRA) and forwards the medical documents related to incapacity for work to MÁK.

However, in the absence of legal authorisation, the school district does not record the specific reason for incapacity for work. Thus, concerning the issue of how many employees were on sick leave or received sickness benefit as a result of viral infection, the employer does not have recorded data. The data processed by the school districts can be generated using mathematical and IT operations. The data sets indicated are processed by the organisational unit of the school district in charge of human resources, the average headcount of those working there is 5 to 6 people per centre. The generation of the data by the school district is possible by querying KIRA and the SAP HR module of the KRÉTA administration system and by sorting them in Excel tables. This means that the data that the trade union requesting the data wished to access were existing recorded data actually processed by the school districts, except for whether the reason for the sickness benefit was coronavirus infection, and they can be retrieved from the databases of the school districts by electronic query. In this case, based on the Fundamental Law, the Privacy Act as well as the relevant decision of the Constitutional Court, the school district is under an obligation to meet the request for querying the data according to specific criteria and organising them in a table. Ultimately, the school district centres and the vocational training centres complied with the Authority’s call and issued the requested data of public interest to the notifier. (NAIH-235/2022, NAIH-237/2022, NAIH-3649/2022)

In the other significant inquiry case, the notifier Member of Parliament objected to the rejection of his request for data of public interest – a comprehensive set of questions concerning motivational awards and festive rewards paid – submitted to the school district centres and the Klebersberg Centre after 90 days with reference to Constitutional Court Decision 13/2019. (IV. 8.) AB and Section 30(2) of the Privacy Act. It should be noted that this section of the law can apply only if the organ performing public duties fulfils the data request by sending an accurate link. The websites provided by the school districts, however, were not accurate and did not contain the requested information. Ultimately, upon the call of the Authority, the requested data were issued. (NAIH-6111/2022)

In another group of cases, also a Member of Parliament turned to the Authority because of the negative response of the Ministry of Human Resources (EMMI). The notifier would have liked to know the number of students commencing and successfully completing training, providing the qualifications and skills needed to fill the post of a teacher, and the number of those newly entering the teaching profession in academic years 2020/2021 and 2021/2022 in a breakdown by kindergarten/school. With regard to the first two questions EMMI stated that it did not have the data in the absence of competence and with regard to the third question, it referred to Constitutional Court Decision 13/2019. (IV. 8.) AB. The data requested by the notifier are data of public interest, which the notifier in July 2019 had already received retroactively for 9 years for the period 2010-2019. In the course of its investigation, the Authority found that the notifier was not informed of which organ performing public duties processes the requested data, or of the fact that with regard to the 3rd question the data are available from October. Furthermore, the notifier requested the data not for each kindergarten and each school, but for teachers in kindergarten and school – i.e. he requested two data each with regard to the two years mentioned, , so based on the above, the Authority called upon EMMI to send the latter data to the person requesting them free of charge and without delay. The data in points 1 and 2 of the data request can be requested from the Ministry for Innovation and Technology (hereinafter: ITM), which the notifier did and turned to ITM and the Office for Education.

In its response, ITM explained that according to their position, EMMI informed the Authority not about who qualifies as controller with regard to the requested data, but indicated that the area of higher education and vocational training as a special area now belong to the scope of responsibilities and powers of ITM. So, they again informed the notifier that ITM does not qualify as controller according to Section 3(9) of the Privacy Act with regard to the data requested. After this, the Authority called upon ITM and EMMI to investigate the whereabouts of the data of public interest requested to be accessed by the notifier and asked for information whether the requested data are processed by the two ministries mentioned, to which organ the data requested by the notifier were forwarded from EMMI and where the notifier can turn to in order to request the issue of the data. Furthermore, the Authority informed the ministries that the capacity of controller according to Section 3(9) of the Privacy Act can only be interpreted in the context of processing personal data; however, this case did not concern the accessibility of personal data. In its response, EMMI informed the Authority that the Office for Education (hereinafter: OH) has the responsibilities and powers with regard to the requested data. At the same time, OH invoked Constitutional Court Decision 13/2019. (IV. 8.) AB and stated that it was unable to produce the data requested by the notifier even with substantial human resources, hence it was not going to alter its position concerning the issue of the data. ITM informed the Authority that the requested data can be obtained from the higher education information system (hereinafter: FIR); OH was responsible for FIR’s operation and they ensure the accessibility of data of public interest and data accessible on public interest grounds processed in FIR. Based on the above, the Authority established that the data of public interest requested to be accessed were processed by OH, the data were available electronically and could be obtained with simple IT operation. Based on the above, the Authority called upon OH to send the data of public interest processed in FIR and to be accessed to the notifier without delay. Upon the Authority’s call, OH’s president issued the data available in OH on 11 March 2022 to the notifier as requested. (NAIH-7637/2021, NAIH-552/2022)

Numerous objections were received this year too because of the unlawful publication of the personal data of children – on Facebook or on websites – primarily with in nurseries, kindergartens and baby clubs. The Authority asked the institutions in every case to provide information in writing about the purpose and the legal basis of processing and requested that if they do not have the legal basis appropriate according to the General Data Protection Regulation for the processing of personal data the entries containing personal data (in this case photos) should be removed and they should pay attention in the future to the data protection settings, particularly with regard to the visibility of entries containing personal data. It also called upon the institutions to remove from their social networking site the photos and video recordings of children previously published,, in whose case the parents did not consent to the publication of the images of their children in an identifiable manner. (NAIH-2885/2022, NAIH6053/2022).

The students of the Szeged University of Sciences notified the Authority that the Students Self-Governing Body (EHÖK) failed to respond to their data requests submitted four times in which they objected to the inaccessibility of spending by EHÖK and the student self-governing bodies of the faculties on EHÖK’s website. The Authority established an infringement and called upon EHÖK to send the data of public interest requested to be accessed to the notifiers in the format required by them; the data request can also be fulfilled by publishing the data in EHÖK’s website and sending the specific URL addresses to the notifiers. Finally, EHÖK’s new president informed the Authority that they fulfilled the notifier’s data request. Nevertheless, the Authority called the attention of EHÖK to the fact that as an organ performing public duties, EHÖK has to meet its electronic publication obligations as required by Chapter IV of the Privacy Act and to publish its data of public interest on its website according to the general publication scheme of Annex 1 to the Privacy Act. (NAIH-3263/2022.)

A parental forum requested consultation with the Authority concerning the issue of whether data on the qualifications of teachers teaching the children and data concerning their substitution at school, the data on the qualifications of the substituting teacher are accessible. The data requested by the parents are data accessible on public interest grounds, whose accessibility is guaranteed by Section 26(2) of the Privacy Act; furthermore, based on Government Decree 229/2012. (VIII. 28.) on the implementation of the Act on National Public Education, institutions of public education have to publish the data concerning the qualifications of teachers on their websites (NAIH-6482/2022).

13. Classified data and Authority procedure for the supervision of data classification

In the course of a litigation for the issue of data of public interest, the Budapest Municipal Court initiated an authority procedure for the supervision of data classification by the Authority, in view of the fact that the controller (the respondent of the litigation before the Budapest Municipal Court) refused to fulfil a request for data of public interest, because the requested data were classified.

The Authority established that the purpose of conducting the authority procedure for the supervision of data classification initiated by the Budapest Municipal Court was in actual fact impossible as the conditions of conducting an authority procedure for the supervision of data classification did not exist with regard to the data according to the subject matter of the litigation. Upon the call of the Authority, the controller was unable to show which of the information requested in the complaint was classified data. In this context, it only informed the Authority that the documents with which it could produce the requested data – the filing records kept according to Section 43(3) of Government Decree 90/2010. (III.26.) on the order of processing classified data (hereinafter: Government Decree) - carried repeated classifications. According to the position of the controller, the filing records can only be used to assist with the handling of documents, the data requested by the petitioner cannot be produced from them.

The Budapest Municipal Court sent extracts of the filing records kept by the respondent to the Authority (excluding the pages which could contain classified data). The Authority reviewed the extracts of the filing records, compared them with the data constituting the subject matter of the litigation and upheld its former position according to which the data request listed in the complaint do not relate to specific information contained in the documents entered into the filing records, but to the fact of general information concerning them. These data do not correspond to the classified data in the documents concerning which the repeatedly classified filing records may contain information.

Based on Section 45(2) of the Government Decree, if any information of merit can be derived from the filing records as to the content of the classified data processed, the classification marking appropriate to the data processed containing the highest level of classification must be repeated on the cover of the filing records. In the course of the examination of the filing records sent, the Authority found that in accordance with the legal regulation referred to, the cover of the filing records bore the repeated classification marking; however, the data recorded in the extracts of the filing records sent do not refer to the classified data in the documents which, according to the evidence of the filing records, were processed by the respondent. They are data, which have to be applied in general when processing classified documents; they represent information concerning the identification of the filed documents, the sending organ and the arrival and filing of the document. From these, no inferences can be made as to the content of the classified data in the documents shown in the filing records.

Therefore, the conditions of launching and conducting an authority procedure for the supervision of data classification did not prevail in view of the fact that the controller (respondent) did not even formally substantiate that the information requested as data of public interest indicated in the complaint were classified, because the data constituting the subject matter of the litigation were not included in the documents bearing the repeated classification marking sent by it.

Pursuant to Section 62(4) of the Privacy Act, the classifier of the data shall be a party to authority procedures for the supervision of data classification. Therefore, as a preparatory question for the authority procedure for the supervision of data classification, the Authority also wished to clarify who classified the data according to the subject matter of the litigation before the Budapest Municipal Court and what was their classification marking. It was found that the classifiers, shown in the repeated classification marking of the filing records according to Section 7 of the Act on the Protection of Classified Data, classified data other than those constituting the subject matter of litigation, hence they could not become parties to the authority procedure for the supervision of data classification as persons classifying the data that constituted the subject matter of the litigation in progress before the Budapest Municipal Court. At the same time, the legal regulations in force do not enable the Authority to examine the lawfulness of the repeated classification at the controller applying the repeated classification marking under an authority procedure for the supervision of data classification, involving the controller or its representative in the procedure as a party because only the classifier may be a party to an authority procedure for the supervision of data classification.

The Authority continues to emphasize the following in relation to classification and fulfilling requests for data of public interest.

The Fundamental Law protects personal data, but in the case of data of public interest, it endeavours to guarantee access and dissemination, which is a precondition to participation in public affairs and public life. This was confirmed by the Constitutional Court when it declared that free access to information of public interest allows for the control of lawfulness and efficiency of the elected representative bodies, the executive power and public administration and encourages their democratic operation. Because of the complicated nature of public affairs, citizens’ control and influence over decision-making by the public power and the administration of affairs can only be efficient, if the competent organs disclose the necessary information. [Constitutional Court Decision 32/1992.

(V. 29.) AB]

The classification of data is the most severe restriction of the freedom of information. When in relation to some information reference is made to the fact that it is classified data, the following should be taken into account:

The accurate specification of the classified data is essential because the rules of the protection of classified data are based on the data principle and not on the document principle. Paragraph [49] of the justification of Constitutional Court Decision 29/2014. (IX. 30.) AB expounded this as follows:

“With regard to the extent of the restriction, furthermore, attention must be paid to the fact that withholding information may not apply in general to the documents, hence constitutionally a regulation which withholds documents from publication not according to their content is not constitutionally acceptable [cf. Constitutional Court Decision 32/1992. (V. 29.) AB, ABH 1992, 182, 184.]. “In the interest of the enforcement of the right to access and disseminate data of public interest, a restriction, which finally withdraws a data or an entire document from publication or which restricts access to a document in full irrespective of its content, cannot be regarded as being in line with the Fundamental Law.”{Constitutional Court Decision 21/2013. (VII. 19.), Justification [46]}. Furthermore, it cannot be reconciled with Article I(3) of the Fundamental Law as a restriction of the right to access and disseminate data of public interest cannot be regarded as unconditionally necessary, if in a given case, by citing the reason for restricting access, access to a wider range of data of public interest is forbidden, then what would be necessitated by the reason for restriction provided. In particular, this can be established whenever access to all the data of public interest in a given document is refused simply by reference to the fact that a part of the document is subject to access restriction […].” {Constitutional Court Decision 21/2013. (VII. 19.), Justification [60]}.”

According to the provisions of Constitutional Court Decision 13/2019. (IV. 8.) AB and the position of the Authority, a request for data for public interest cannot be refused because the requested data is not available directly or by way of electronic querying. It may be that the data have to be searched, sorted according to specific criteria and organised. The controller is not under an obligation to obtain or collect new data, nor to generate qualitatively new data or an explanation of the data. Nor may the controller rely on the fact that rendering the requested information accessible would require additional work resulting in the expenditure of time and additional costs. The Privacy Act does not include such reasons for refusal. (NAIH-3055/2022)

14. Other cases commanding substantial public interest

The Authority received several notifications from a person requesting data in relation to a national series of 228 concerts and events called 2021 “Őszi Hacacáré” (free concerts, community events, family programmes, village fetes and arts and crafts activities). The complainant unsuccessfully requested Antenna Hungária Zrt., Visit Hungary Zrt., the Magyar Turisztikai Ügynökség and several subcontractors to send all the contracts and other documents concerning the series of concerts. In view of the amount of public funds used (close to 5 billion forints) it is understandable that the documents and contracts generated in relation to the series of concerts commands substantial interest. According to the facts of the case established in the course of the investigation, the Nemzeti Kommunikációs Hivatal (National Office of Communications) launched a public procurement procedure to provide event organisation services, whose winning bidder, Antenna Hungária Zrt., entered into a general framework contract with Visit Hungary Zrt. Another two actors in this group of cases also concluded contracts with Antenna Hungária Zrt., on performing services for the administration of the concert series. Being called upon to do so, the individual companies sent the contracts to the complainant, blocking the data, which in their view were to be protected; however, the Authority could not accept as reason for rejection that the business organisations concerned in the case were not organs performing public duties and hence the scope of the Privacy Act does not extend to them. At the time of submitting the data request, Antenna Hungária Zrt., was held by the state, hence it is under an obligation to issue the requested data. At the same time, pursuant to Section 27(3)(a) of the Privacy Act, this obligation to provide information also applies to the companies in a business relationship with it. Based on Curia Judgment Pfv.20.904/2021/5 and Decision Pf.20.031/2019/5 of the Budapest Municipal Court, the Authority took the position that a business organisation held by the state belongs to a subsystem of public finances in view of the above provision of the Privacy Act, hence those in a business relationship with it have also to ensure the transparency of the use of public funds. Certain business organisations cited the protection of business secrets (for instance, the name of the person representing the company, contractor’s fee, advance payment, penalty for delay) on several occasions and on that basis, refused to issue the contracts and the related documents or blocked data of public interest in the documents. In its call sent to the companies, the Authority underlined that based on Section 27(3) of the Privacy Act access to the data of documents (business secrets) can only be restricted, if it does not prevent access to data accessible on public interest grounds. The guidelines published by the Authority on the limits to access to data of public interest also calls attention to the proper interpretation of this. The amount of the contract cannot be a subject to business secret, the name of the person signing on behalf of the company may not be blocked because it is not personal data to be protected, but data accessible on public interest grounds. Two companies believe to have fulfilled the data request by sending a link pointing to a website, but only certain contractual data were listed on the website. They partially met their disclosure obligations with the data included in the list; this, however, was unacceptable as an answer to the data request. As a result of the investigation, the Authority called upon the companies to fulfil the data request without blocking data of public interest or data accessible on public interest grounds, and at the same time terminated the investigation against Magyar Turisztikai Ügynökség. (NAIH-998/2022. NAIH-7707/2021, NAIH-7368/2021, NAIH-7367/2021, NAIH-7363/2021)

15. International affairs

Council of Europe Convention on access to official documents (CETS No. 205., promulgated in Hungary by Act CXXXI of 2009) entered into force on 1 December 2020. However, the 10-member independent expert group mandated to monitor the implementation of the Convention (one of whose expert members is NAIH’s President) met for the first time in Strasbourg only on 18 November 2022, where they discussed primarily the rules concerning in the procedures of the expert group.

The 13th International Conference of Information Commissioners (ICIC) was held in Puebla (Mexico) in 2023 with the title “Access to information, participation and inclusion in the digital age”. The most important message of the mutually accepted statement was the joint protection of the autonomy, independence and inviolability of the supervisory authorities.^{^[1]}

UNESCO also issued an important statement at the conference organised on the occasion of the International Day of Freedom of Information entitled “Tashkent Declaration”, in which it calls upon all governmental and nongovernmental actors to create and operate a legal, political and institutional environment that ensures the exercise of the right to the freedom of information in accordance with international standards.^{^[2]}

[1] https://www.informationcommissioners.org/wp -content/uploads/2022/07/Public -Statement_ICIC.pdf

[2] https://unesdoc.unesco.org/ark:/48223/pf0000383211?posInSet=1&queryId=c45caa75-e743 -402e -be6e -c2320ed7fd24

16. NAIH’s freedom of information project

At the end of 2022, the long-term research project that defined the activities of NAIH’s freedom of information experts over the past years, in addition to their day-to-day work, was completed. As a general summary, it can be stated that the enforcement of the freedom of information in Hungary shows a rather self-contradictory picture: whereas the Hungarian regulatory system can be regarded as adequate – in some cases outstanding – in an international comparison and the supervisory authorities as well as the agencies for legal remedy carry out their roles appropriately, the research exposed extraordinary deficiencies (“practice to be vigorously improved”) on the part of controllers in the case of processes affecting compliance with obligations.

The way to make freedom of information more effective is not to increase the volume of information available, but to make the information that is actually relevant more accessible and easier to find. Based on their research, the experts recommend the “smart transparency” approach rather than the “widest transparency possible” and formulated the recommendations largely in accordance with this approach.

The results of the research unambiguously confirm the preliminary assumption that online publication is one of the most emphatic instruments in the enforcement of the freedom of information. Hence the reinforcement of proactive publication with guarantees is one of the most important goals as it can powerfully improve the efficacy of the freedom of information in the future. In addition, the research explored some problems that can be traced back to legal regulation, which can be remedied by legislation or by amending legal regulations.

Meeting the requirements related to the freedom of information would be better encouraged by rendering effective controlling and sanctioning possibilities applicable. Soft and hard legal consequences, particularly through sanctioning the infringement of publication obligations, contribute to the compliant behaviour and the orientation of organisations subject to disclosure obligations.

In fulfilling individual data requests, it is important to require both actors to cooperate and to introduce a reasonability limit to be interpreted stricto sensu against clearly excessive manifestations that are disproportionately burdensome. In addition, an attitude stemming from internal conviction is also important, for which the selfevaluation toolkit can be useful. However, as long as the general cultural medium fails to move towards the importance of transparency, neither of the actors can be expected to make substantial advances in this field. The circle of citizens who make use of their rights related to the freedom of information is very narrow - i.e. there is no general interest on the part of citizens in data of public interest or data accessible on public interest grounds in relation to the operation and activities of organs performing public duties. For the better enforcement of the freedom of information as a fundamental right, substantial changes are needed on the part of both those requesting data and those controlling them: in the case of citizens, primarily by improving their awareness of their rights, while on the part of the controllers by improving their attitude and commitment. For this, external support with assistance from the supervisory agency seems to be indispensable. In order to change attitudes, it is recommended that information on the freedom of information should be included in public education.

Independent statements can also be made for certain target groups of priority studies. In the case of the target group of municipalities, the research results clearly show that the majority of municipalities fails to appropriately meet their obligations of providing information and transparency as set forth in the Privacy Act either in terms of electronic publication or meeting requests for data of public interest, whereas the municipalities/mayor’s offices, where trained and experienced persons are employed in charge of informational rights, perform much better. The existence and especially the quality of websites is clearly correlated to the size of the settlement. Only 47% of municipal websites have search engines (this would greatly assist in the implementation of the freedom of information) and, all in all, only 17% of the websites can be said to be of good standard. In the course of the test data requests, 41% of the municipalities did not answer a single question, while an additional 10% unlawfully

rejected every single question. The Guidelines for Municipalities issued is recommended expressly to this target group.

In relation to electronic publication by the organs of central public administration, it can be said that all in all in a third of the entire sample, the websites under study did not comply with the requirements of the legal regulation and the conditions of the detailed study. It is recommended to review Government Decree 305/2005. (XII. 25.) establishing the detailed rules of meeting publication obligations and the detailed rules of the electronic publication of data of public interest, the integrated system for querying public data, the data content of the central list and data integration, as well as IHM Decree 18/2005. (XII. 27.) on the publication samples needed for the publication of data in the publication schemes, particularly with regard to the format and location of publication: i.e. what should be shown in what format/structure/template and where they should be shown on a website. The Uniform Public Data Retrieval System (www.kozadat.hu) in its current form fails to fulfil its function: its operation is difficult to understand and manage for controllers; the omissions are not penalised, they remain without consequences, hence the accessible data content is deficient and its quality is unreliable. Furthermore, it would be necessary to create a central governmental website with a view to the better enforcement of the freedom of information. The majority of data subjects would support the creation of such a public central website for monitoring the use of domestic budgetary funds.

In the case of the target group outside the public administration but performing public functions and/or managing public funds, it is the subjects belonging to this "mixed" target group (especially state-owned and municipally-owned companies, public foundations, other non-profit organisations with a state or municipal background, public bodies and higher education institutions) who, according to the research results, are the least compliant.

Based on research results, the least compliant behaviour was exhibited by the target group outside public administration, but discharging public tasks and/or managing public funds (a “mixed” target group, primarily business organisation held by the state or municipalities, public foundations, other non-profit organisations backed by the state or municipalities, public bodies and institutions of higher education). In the case of foundations backed by the state or municipalities, the ratio of those absolutely failing to meet their publication obligation is extremely high (95%). Only 2% of these organisations fulfilled the test data request in full, while 58% of these organisations did not respond at all. An absence of endeavour for transparency is unambiguous, which may be attributed to issues of attitude, but perhaps even more so, to a lack of knowledge. In addition, according to the legal entities in this target group, the separation of commercial and non-commercial activities causes difficulties in the context of business secrets in the case of publicly owned business organisations, primarily those held by the state. As the main problem here is the (self-)identification of obligees, the Guidelines “Adatvédelmi kisokos: ki tartozik az infotörvény hatálya alá?” (Data protection smart guide: who is subject to the Privacy Act?) is recommended expressly for this target group.

Detailed information on the project and its outputs (guidelines, municipal indexation, etc) is available on the new freedom of information portal at infoszab.naih.hu.

2020

1. Introduction

2020 was a hectic year from the viewpoint of the freedom of information, the primary reason of which was the emergency or health crisis due to the COVID pandemic.

The power drafting the bill or rather the constitutional amendment chose not to invite NAIH’s opinion in the course of the constitutional amendment related to the notion of public funds in December. Bill T/13647 was the ninth amendment to Hungary’s Fundamental Law, whereby Article 39 of the Fundamental Law was supplemented with the following paragraph (3): “Public funds mean the state’s revenues, expenditures and receivables.”

According to the justification of the amendment: “The Bill defines the notion of public funds, so as to allow the evolution of a uniform practice instead of the current different practice of the constitutional bodies. The Bill clearly and unambiguously defines the notion of public funds covering the entire operation of the state, which is a guarantee to the transparent use of public funds. With this definition, the notion extends to all the constitutional, state and municipal bodies, state and municipal institutions.”

According to the Authority’s position, the new definition of “public funds” will not be suitable for terminating or mitigating the deficiencies and inconsistencies in the interpretation of the law to be remedied, but it may lead to additional confusion in the interpretation of the law. In our view, it would be more appropriate to include some kind of differentiation also in legislation in the case of participation in public funds and state assets. By including the notion of data accessible on public interest grounds, in addition to data in the public interest, in the Fundamental Law, it would be possible to settle at the level of the law exactly which data sets, data types must be made public, to substantially improve the competitiveness of the state and business organisations subject to market conditions, while at the same time, creating a clear and unambiguous situation for those applying the law in the field of rights and obligations.

NAIH continues to maintain, and intends to apply also in the future, its statements related to the accessibility of the use of public funds.

The Authority received more complaints and other submissions related to data in the public interest than in the preceding year: the investigation and administration of over 900 cases was in progress at the Department for Freedom of Information, which shows a substantial increase in case numbers by about a quarter.

In addition to the submissions directly affecting the fundamental right to access data in the public interest and data accessible on the grounds of public interest, this department is responsible for the investigative procedures and the Authority’s data protection procedures conducted on the basis of complaints related to other fundamental rights affecting public access. In relation to the effectiveness of investigative procedures, it should be noted that, unfortunately, it does happen albeit rarely, that the controller sought – whether it is a small municipality or a ministry – fails to respond to our call. In such cases, the Authority may issue public reports naming the controller (see for instance: https://www.naih.hu/ files/Infoszab_jelentes_NAIH_2020_4801.pdf ) and there are examples of the Authority launching a data protection procedure imposing a fine.

The entry into force of Council of Europe Convention on access to official documents (CETS No. 205., promulgated in Hungary by Act CXXXI of 2009) on 1 December 2020 was an event of major international significance; this could take place following the tenth ratification (Ukraine). The document was signed by 8 countries, including Hungary, in Tromsø, Norway in 2009 and we were the second country after Norway to ratify it in 2010. This Convention is the first international legal document imposing obligations in the field of the freedom of information, it is open to countries that are not members of the Council of Europe as well as to international organisations, and it has an expressly practical approach (for instance, the term “public authority” includes everybody, natural or legal person discharging public duties, the objective of the person requesting data is irrelevant, the accurate description of the requested document is not expected, personal inspection is free of charge, etc.). The independent expert group consisting of 10-15 members responsible for monitoring the implementation of the Convention will begin its work early in 2021.

2. Important decisions of the Constitutional Court

Constitutional Court Decision 7/2020. (V. 13.) AB: the Fővárosi Ítélőtábla (Budapest Court of Appeal) initiated the annulment of Section 27(3b) of the Privacy Act in the case of the judicial initiative against this provision. In the initial case, the issue of the construction documents of a motorway construction financed by public funds (with EU support, procured through a public procurement procedure) was requested. The court of the first instance rejected the case on the grounds that pursuant to Section 27(3b), the trade court is responsible to legal oversight over the defendant as a business organisation, hence the court has to terminate the lawsuit. According to NAIH’s position^{^[1]}. the specific provision of the law provides an opportunity only for the person exercising his rights to turn to the body in charge of legal oversight which however may not impair his constitutional right to turn to the Authority or directly to the court requesting legal remedy in the event of noncompliance or inappropriate compliance with the obligation to provide information in relation to data in the public interest with a view to investigating the infringement. The Constitutional Court rejected the motion as the opportunity to initiate the procedure by the body responsible for legal oversight in itself cannot be regarded as a requirement restricting a fundamental right; at the same time, it established that Parliament created an anti-constitutional situation by way of an omission infringing the Fundamental Law because it failed to provide efficient legal defence for the person requesting the data in the event of non-compliance with the obligation to provide information as set forth in Privacy Act Section 27(3)(a). As Section 31(3) and (5) of the Privacy Act expressly mentions “body discharging public duties” as the defendant in a litigation that may be launched in the event of noncompliance with a data request, starting litigation concerning a request for data in the public interest as set forth in Sections 28-31 of the Privacy Act is not admissible against persons and entities subject to the obligation to provide information according to Section 27(3a). Privacy Act Section 27(3b) allows only to turn to the body exercising legal oversight, which is however not authorised to order compliance with the request for data. Defending the right to access and disseminate data in the public interest requires that the request for data could be enforced in front of a court with respect to all those subject to the obligation to provide information.

Decisions 3209/2020. (VI. 19.), 3210/2020. (VI. 19.) and 3211/2020. (VI. 19.) AB concerning constitutional complaints related to lawsuits launched because of the infringement of goodwill through reports and articles published in relation to the so-called “Questor case”: the disputed articles published the names of the data subjects, the names of their earlier workplaces, the fact of their civil partnerships, the names of their life companions, their family relations and through that, data related to the family of the petitioners taken in the wider sense without the consent of the data subjects and the petitioners launched litigation against various news portals and newspapers on the grounds of infringement of privacy and the right to the protection of personal data. The courts taking action had to resolve the conflict of law concerning the freedom of expression, freedom of the press, the right to provide information about the case presented and the right to the protection of personal data. The Questor case was of outstanding public interest, given the large number of the people sustaining losses, its nationwide scope and the extent of the damage. The Constitutional Court declared that the credibility of a news item is not in itself reinforced by providing the name of a given person, but the public disclosure of the family relations and earlier workplaces of the petitioners was in the given case in the public interest. Their working relationship between the petitioners and the person accused in the case and their linkage to the attorneygeneral are personal data related to a communication concerned as a case of public interest, whose public disclosure cannot be regarded either as arbitrary or unwarranted with a view to discussing the public affair concerned, it enjoys a higher level protection for the freedom of expression.

Decision 3413/2020. (XI.26) of the Constitutional Court: the Constitutional Court terminated its procedure related to the establishment of the anti-constitutionality and annulment of Section 2 of Government Decree 179/2020. (V. 4.) on deviation from certain data protection and data request provisions – which established the period open for compliance with data requests in 45 days instead of 15 days – in view of the fact that the provision was no longer in force.

[1] NAIH/2019/2996

3. Important court decisions

Pfv.IV.21.519/2018/15.: In a review procedure, the Supreme Court agreed with the earlier court statement, according to which the protected trade secret, knowledge of which would give unwarranted advantage to other competitors, cannot be accessed in the case of contracts concluded by the universal postal service provider; at the same time, in this case the contracting parties had to be aware that the contracts concluded with the defendant are more open to access because of the provisions concerning state assets. The reference to the trade secret does not automatically provide exemption from applying the rules concerning public access. The fact of disposing of state assets implies, without any further conditions, that the entity in public ownership qualifies as an “entity discharging other public duties” irrespective of whether it actually discharges public duties, or whether it carries out its activities in competitive circumstances.

Pfv.IV.21.732/2018/8.: Responding to a request for data in the public interest, the Prime Minister’s Cabinet Office only sent the instruction concerning the use of the entertainment and protocol expenses of the prime minister’s chief counsellor concerned in the request for data, as well as the information as to what extent the chief counsellor used the appropriation available to him by the date of the request for data, requiring that the costs thereof be reimbursed. The court of the first instance ordered the defendant to disclose the detailed performance verifications of the entertainment expenses in a monthly breakdown, without requesting cost reimbursement. The court of the second instance ordered the Cabinet Office to issue also the copies of the invoices on the basis of which the payments were made. The Supreme Court found the defendant’s petition for review unfounded and disagreed with the claim that the request to access the data would have been aimed at a comprehensive, invoice level audit of their financial management, as it only applied to a small fraction of the costs needed for the performance of the Prime Minister’s Cabinet Office activities.

Pfv.IV.21.778/2018/8.: According to the relevant legal provisions, the service relationship of regular members of the law enforcement agencies has to be terminated by dismissal on the grounds of unfitness for service for breach of the requirement of impeccable conduct. This may be waived by the Minister of the Interior if the execution of the sentence of imprisonment imposed has been suspended by the court and the conduct on which the sentence is based is not likely to have an adverse effect on the performance of further service. Convictions on which such a ministerial decision is based are parts of the personnel records. According to the Supreme Court’s position, the data of the specific data subjects are fundamentally personal data whose accessibility is not provided for by any legal provision; moreover, identification may be possible indirectly based on the data and the circumstances considered in the court sentences, thus anonymisation in itself is insufficient for making the personal data unidentifiable.

Pfv.IV.20.148/2019/8.: The petitioner, a Member of Parliament, requested the defendant, a business organisation exclusively held by the Hungarian state and founded for the organisation of the “2017 World Aquatics Championships” to issue all the contracts of assignment concluded with other firms and undertakings, but the defendant failed to respond to the request for data. The Supreme Court maintained the effect of the final judgment and confirmed the unbroken judicial practice that data concerning the use of public funds qualify as data in the public interest in accordance with the Fundamental Law, irrespective of the organisational structure or name of the body processing them. In relation to the objection concerning powers, the Supreme Court declared that if the scope or activities of a business organisation or institution are of national significance, the regional court according to its registered address has competence to conduct the procedure.

P.21.053/2019/30.: A parliamentary committee decided to exempt certain defence and law enforcement procurements from public procurement, but the ministry concerned rejected the request for data stating that it was not the controller of the data requested. According to the court’s interpretation, the petitioner’s request was targeting the investments of the given ministry and the development projects of the ministry can, and should, mean not only the transactions concluded by the defendant in person, which is revealed also from the evaluation of the contents of the questions. Moreover, the capacity as controller can be established even if the given ministry is not a contracting partner in the investment projects concerned.

Pfv.IV.20.305/2019/8.: A state-owned single member company limited by shares engaged in energy production and management, financed exclusively from public funds, voluntarily supports projects invented and developed by various individuals or companies as project initiators. The controller refused to disclose the data requested in relation to such projects on the grounds of trade secrets and insisted on the appointment of a forensic energy and technical expert, underlining that the field involved in this litigation was special, namely research and development, hence the evaluation whether the idea set forth in the contract, the name and brief description of the project could provide information from which competitors could make material inferences concerning its details was a matter for experts. According to the court’s position, the defendant voluntarily undertook a public task by supporting start-up projects and the activities related to this cannot be withdrawn from the scope of the Privacy Act. The data referred to cannot be regarded as trade secrets, because the magnitude of the invested amount and the data concerning the persons of the investors are accessible from public sources, the data concerning the magnitude of the amount invested in the project are data accessible on public interest grounds, while the project description includes general statements whose disclosure does not give rise to disproportionate violation of interests from the viewpoint of conducting business activities.

2.Pf.20.049/2020/8.: In its judgment the court instructed the logistics and asset management company of a ministry to disclose information about what issues, business matters, cooperation issues were discussed by the chairman of the board during his official foreign trips and what was the position or the job of his negotiating partners. In the course of the litigation, the defendant failed to provide specific evidence in support of which decision of exactly which body the data were used and to what extent and how access to the data influenced the implementation of the decision and which parts of the documents requested to be released were subject to reasons for restricting access.

8.Pf.21.166/2019/5.: The petitioner requested disclosure of the 2017 annual report of the Group of States against Corruption (GRECO) operating within the Council of Europe, which however was to be handled confidentially according to Article 15 of GRECO’s statutes. The court established that the data requested were in the public interest, but at the same time classified, hence not accessible to the public. In the meantime, the Government published the report.

2.Pf.20.048/2020/4.: The data request targeted documents related to the voting behaviour to be followed by the Hungarian Government at a specific negotiation and the related opinions received from societal reconciliation, the protocols of reconciliations with NGOs and professional organisations and feasibility studies. Not even the defendant disputed that the requested data were data in the public interest; at the same time, the court accepted that their nature allows the conclusion that their issue would render impossible to do official work free of influence and it would impede civil servants in discharging their tasks.

Finally, two court decisions whose final conclusions were contrary to the content of the NAIH statements made earlier in these cases:

2.Pf.20.105/2020/7.: Through its judgment, the court required the defendant to issue specific instructions of the national command of penitentiary institutions to the petitioner. The parties to the litigious did not dispute that the data requested via the petition were data in the public interest and none of the special instructions were classified. According to the court, the special instructions were not drafted in the course of bringing a specific decision by the defendant as they contained general provisions for the discharge of the defendant’s tasks, hence they do not qualify as data on which a decision is based, and the defendant failed to demonstrate the “security risk” concomitant with their disclosure (whereas NAIH accepted the reference to the security risk in its earlier investigative procedure).

In its judgment 25.P.20.421/2020/12., the Budapest Regional Court (approved by Judgment 8.Pf.20.556/2020/5 of the Budapest Court of appeal) ordered MTVA to disclose the employment contract of its lead newsreader employee, together with its annexes and amendments, disclosing the data related to responsibilities, basic wage, supplementary wages and additional benefits. The fact that MTVA discharges public tasks and its activities are financed from public funds allows the inference that its employee is acting in the context of his public duties when reading the news. The court of the second instance shared the position of the court of the first instance that in order to appropriately enforce the right to a free discussion of public affairs and the right to free expression, it is indispensable that citizens can learn about the employment conditions of employees discharging public tasks. Based on all this, specific data of the employment contract of the news anchor, primarily his remuneration, are data accessible on public interest grounds. (NAIH based its different position on the fact that the news anchor could not be categorised as a senior managerial employee of the Fund or their deputies, or chairman and members of the Fund’s Supervisory Board or the employees working in managerial positions and their deputies heading organisational units directly responsible for the discharge of the Fund’s public tasks, hence the data of his employment contract cannot be categorised as data accessible on public interest grounds based on Privacy Act Section 26(2)).

4. Access to the data related to the coronavirus pandemic

“The impact of the corona virus pandemic brings unprecedented challenges for society both nationally and globally. Public authorities must make significant decisions that affect public health, civil liberties and people’s prosperity. The public’s right to access information about such decisions is vital.”^{^[1]}

NAIH participated in the drafting of the above statement by the International Conference of Information Commissioners and it fully agrees with its findings, according to which openness, transparency and sharing information proactively are indispensable for people to understand the state’s decision-making processes. However, we must also bear in mind that public organisations must focus their resources on protecting public health during a pandemic.

In order to reduce the burden on disease control bodies, data requests could be completed in 45 days instead of 15 days^{^[2]}, but only if it was probable that performance within the ordinary due date would have jeopardised the discharge of the agency’s tasks related to the emergency situation. One disaster management directorate reported substantial additional tasks – naturally that was an acceptable reason. (NAIH/2020/4603)

NAIH received several complaints objecting to the fact that controllers referred to the 45-day period without any justification. The Authority underlined in every case that any deviation from the due date according to the Privacy Act must be justified individually. An acceptable reason was if during the emergency municipal decision-making had to be carried out with short due dates putting extra burden on the employees of the municipality and as most of them were working in home office mode only few employees had physical access to the documents. (NAIH/2020/4147)

A substantial part of the notifications and questions related to the pandemic were about the data concerning the disclosure of the fact of the infections and access to data on the geographical distribution of the infected persons. NAIH declared in every case that the health statistics of geographically based groups of certain sick persons qualify as public statistical data, whose accessibility may be restricted because of their role in decision-making only if their accessibility would jeopardise the effectiveness of the agency’s procedure. This should the decided by the controller, but its decision must be supported by detailed justification. Once the decision is made, the data request may be rejected, if the data would serve as the foundation of additional future decisions, or access to the data would have a negative impact on the lawful or smooth operation of the agency discharging public tasks. At the level of settlements, the number of infected people and the number of the deceased are statistical data that may be disclosed, provided the patients cannot be identified. Other processing without purpose or unlawful processing, such as posting a list of “infected” street names or indicating the exact place of an official quarantine by giving the street and house number on Facebook should be avoided as bad practice. (NAIH/2020/3506, NAIH/2020/2838, NAIH/2020/2904)

The municipal executive of Budapest 13th District applied to the Public Health Department of the 5th District Office of the Government Office of Budapest (hereinafter: Government Office) for the number of confirmed COVID-infected persons and the number of persons subject to an official quarantine in the 13th District in a daily breakdown. (According to the legal regulation, the 13th District belonged to the competence of the Public Health Department of the 5th District.^{^[3]}) The Government Office rejected the data request with reference to the fact that Government Decree 41/2020. (III.11.) made it possible to transmit the requested data to the municipalities; with the end of the emergency, however, the legal basis of data transmission no longer existed.

The Government Office processes, inter alia, the onset and place of the infection, the place of nursing, the reported disease and its epidemiological description, the laboratory diagnosis and the qualification of the outcome with respect to COVIDinfected persons in the Epidemiological Subsystem of the National Specialised Information System (hereinafter: OSZIR) run by the National Public Health Centre.

According to Section 2.1 of the Amended procedures issued in relation to the new coronavirus identified in 2020 published by the National Public Health Centre (hereinafter: Procedures) the health care provider has to upload the data of the person suspected of being infected by COVID-19 or having positive laboratory results to the Communicable disease reporting subsystem of OSZIR within 24 hours. The public health staff of the district office creates a disease case from the Communicable disease reporting sheet received electronically within 24 hours and complete the individual data collection sheet with the available data. Section 2.2 of the Procedures contains the procedures to be followed to separate suspicious and confirmed cases. According to Section 2.2.(a) “Separation of a suspected patient at home having mild symptoms shall be done upon the instruction of the health care provider (primary care, outpatient care). In warranted cases, the authority may act through an order in the case of the positive result of a PCR laboratory test designed to detect SARS-CoV-2.”

This means that the Government Office does have the requested data and it is able to obtain aggregated statistical data from the data stored in OSZIR, which are public data pursuant to Section 4(8) of Act XI of 1991 on the Activities of the Health Authority and Administration (providing for public access to data on the epidemiological situation). (NAIH/2020/7731)

The question was raised in several cases whether the fact that an identifiable person is infected can be published. As health data constitute one of the special categories of personal data according to GDPR Article 9, as a main rule, their public access is prohibited, thus a municipality lawfully refused to issue, for instance, the name of an infected municipal representative. (NAIH/2020/2926, NAIH/2020/6568). At the same time, the information whether the government office granted a licence to a family doctor to start working after participating in a conference abroad is a personal data accessible on grounds of public interest. The reason is that there is a legal regulation^{^[4]} that stipulates that health care workers in direct contact with patients, in addition to their professional qualification for the job, are considered fit to perform their duties if they do not suffer from a disabling infectious disease. The information whether a person discharging a public task meets the legal conditions of discharging that public task is public data accessible on grounds of public interest as other personal data related to the discharge of the public task. (NAIH/2020/2963)

Several submissions asked about the accessibility of data concerning the epidemiological control of residential social care institutions. Data in the public interest include, for instance, how many people were shown to have coronavirus infection in the institution, the number of available protective devices, whether there is a designated epidemiological officer and whether he or she held an infection control training, or whether patients were returned from the hospital without testing them for coronavirus. These data are processed by the institutions, they are part and parcel of their activities and related to their operation and do not qualify as personal data. Pursuant to Section 32 of the Privacy Act, an agency discharging public tasks has to facilitate and ensure the accurate and rapid provision of information to the public concerning the cases within its responsibilities (NAIH/2020/3752). The findings of the inspection report concerning the professional supervision carried out in residential social care institutions are also data in the public interest; by anonymising the personal data they can be published in internet websites. The finding of the report that the managers of the institutions severely jeopardised the health of the people they cared for during the period of the emergency and epidemiological alert is closely related to the performance of their public duties and the public has a substantial interest in accessing it, thus it qualifies as personal data accessible on grounds of public interest. (NAIH/2020/6631)

Data of financial management related to the epidemic show a varied picture: for instance, those requesting data wished to have access to the municipalities’ contracts related to the epidemic, the amounts spent on rapid tests, the quantities ordered, which are naturally data in the public interest. (NAIH/2020/6190, NAIH/2020/6299). A journalist asked for the contracts concerning the procurement of the ventilators from the Ministry of Foreign Affairs and Trade, but the Ministry did not send him the annexes containing the technical specifications. Once NAIH requested information concerning the restriction of access to the annexes, the Ministry made them available to the journalist, thus the public could be informed within a very short time. (NAIH/2020/7123)

Another journalist submitted a data request to the Hungarian National Blood Transfusion Service (hereinafter: OVSz). The subject matter of the data request was the contract on the sale of blood plasma and its amendment. The company with which OVSz concluded the contract regarded the entire contract as its trade secret, and because of this only the three data in the publication list of OVSz, the subject matter, value and period of the contract was to be issued. In the course of its investigation, NAIH underlined that in the event of a conflict between data in the public interest and trade secrets, access to the data in the public interest enjoy priority and Section 27(3) of the Privacy Act is to be interpreted strictly. The public had a substantial interest in the transparency of the management of the national blood supplies, particularly in the current epidemiological situation. NAIH requested the company to provide detailed justification for the classification of each point of the contract as trade secret and also to what extent access to the given point of the contract would cause disproportionate harm in business life. After this, the contracting company continued to state that 10 out of the 45 points of the contract were trade secrets. Of these, the Authority accepted the argumentation in the case of two points, so OVSz sent the rest to the journalist. Among other things, the Authority regarded access to the obligations undertaken by the parties in the contract as unconditionally justified because without knowledge of these, a well-founded societal debate on the appropriateness of the sales price could not evolve. When concluding a contract, whose subject matter was part of the national assets, the company had to expect that at least the main obligations would be accessible to the public. According to the Authority’s position, it should also be transparent what legal consequences are stipulated by the contract if the contracting party fails in its obligation to facilitate the supply of domestic blood plasma to patients. (NAIH/2020/1800)

[1] Statement of the International Conference of Information Commissioners (icic) (14 April 2020) https://www.informationcommissioners.org/covid-19

[2] Section 2(3) of Government Decree 179/2020. (V. 4.) on deviation from certain data protection and data request provisions during the emergency. It has ceased to be in force since the day of the termination of the emergency, i.e. from 18 June 2020. Government Decree 521/2020. (XI. 25.) on deviation from certain data request provisions during the emergency will lose effect on 8 February 2021.

[3] Based on Section 3(1) and Section 5 of Government Decree 385/2016. (XII. 2.) on the discharge of the public health duties of the Budapest and county government offices and the district (Budapest district) offices and the designation of health care administrative agencies, the district office performs all the public health, authority, professional supervisory tasks of the public health administrative body in its field of competence, which are not referred to the competence of the national medical officer or the government office by legal regulation. Annex 2 to the Government Decree specifies the fields of competence of the district offices.

[4] Section 4 of Decree 40/2004. (IV. 26.) ESzCsM on the examination and certification of medical fitness to perform health care

5. About requests for data in the public interest targeting NAIH

In 2020, the Authority received altogether 72 requests containing 187 data requests from 43 petitioners (petitioners frequently asked for several data, at times complex information or sets of data in a single submission, so a petitioner turned to the Authority with 4 data requests on average). Of these, 144 requests were complied with, 6 were partly complied with and 37 requests were rejected.

The most frequent reasons for rejection:

the requested data were not data in the public interest,
the requested data was not available to the Authority,
the requested data was used for decision-support,
the requested data were criminal personal data generated in the course of a criminal procedure.

The most frequent subject matters of the data requests included: statistical data related to the administration of cases by the Authority (for instance, the Authority’s data protection procedures, incident reports, complaints and data requests in the public interest, fines, secret supervision, etc.), NAIH information briefs, position statements and documents generated in the course of specific cases, NAIH’s internal rules and NAIH’s opinion on certain legal regulations.

6. Cost reimbursement

It can be stated that legal practice concerning the applicability of cost reimbursement and the methodology of its calculation has been developing year after year ever since the entry into force of Government Decree 301/2016. (IX. 30.) on the extent of cost reimbursement for compliance with requests for data in the public interest (hereinafter: Cost Decree). In practice, this means that the process of calculation is becoming increasingly clear. Of the three different categories, labour expenses continue to be the cost element in relation to which difficulties in interpretation arise the most frequently. In every case, the Authority emphasizes that when complying with requests for data in the public interest, agencies discharging public tasks or those financed out of public funds do not provide a service but meet their obligations arising from a fundamental right set forth in the Fundamental Law. By default, as part of their ordinary daily operation, they have to make the requested data available to citizens free of charge. Labour costs may be charged as cost reimbursement, if providing the data requires disproportionate use of the labour required for the performance of the basic activities of the agency discharging public tasks, the period of the necessary labour use exceeds four working hours and all the conditions referred to are met. Agencies discharging public tasks must be ready to receive requests for data in the public interest or data accessible on public interest grounds with respect to any of their activities.

In 2020, the Authority received 23 complaints from citizens (2019: 32 requests, 2018: 39 requests) disputing the legal basis or amount of the cost reimbursement – this result is definitely positive relative to the preceding years. Controllers demanding cost reimbursement included, for instance, the Municipality of Paks, the Veszprém County Government Office, the Municipality of the City of Bicske, various foundations and health care institutions.

Another positive experience was the decrease in the amount of the cost elements. While in earlier years, cost reimbursement demands frequently amounted to several million forints, in the case of those requesting legal remedy from the Authority in 2020, the highest cost reimbursement demand was related to the TASZ case to be presented at the end of this chapter (HUF 640,340), and frequently as a result of a NAIH investigation, the bodies discharging public tasks or those financed from public funds made the data requested available to the petitioner without demanding cost reimbursement.

In a specific case, the petitioner requested contracts and other data in large quantities from an association coordinating catch-up programmes. The association set a cost reimbursement demand of HUF 69,000 because the organisation did not have any employees. As a result of the Authority’s intervention, the association finally was able to ensure access to the data by way of inspection free of charge. (NAIH/2020/56)

In another case, the petitioner turned to the Authority on behalf of an on-line news portal. They requested communications, marketing and media related contracts for the first 9 months of 5 years from a mayor’s office, which demanded HUF 103.820 for 42 hours of labour and altogether 383 pages of electronic copies of the requested documents as cost reimbursement. In the course of the investigation, the Authority called upon the controller to reduce its demand on several occasions, so finally the original claim was reduced to HUF 10,759. In view of the number of documents, the Authority regarded the cost reduction as substantial and thus acceptable. (NAIH/2020/420)

Providing adequate information is very important; it should not be limited merely to disclosing the amount of cost reimbursement charged on the cost elements. Agencies discharging public tasks must indicate all the reasons and all the cost elements, which substantiate the grounds for the amount claimed, because the controller has the obligation to demonstrate that the amount of the cost reimbursement was well-grounded in an eventual court procedure. Adequate information greatly contributes to the petitioner truly understanding why he has to pay the cost reimbursement and in what amount in order to have access to the requested data. Furthermore, based on the information, he will be able to adopt the right decision in relation to an eventual legal remedy. In the given case involving inadequate information, finally the controller municipality issued the requested data free of charge after the call of the Authority. (NAIH/2020/4173)

As part of his studies as student reading finances and accounting had to draw up a case study on an EU project, and he selected a foundation, which he approached several times electronically with a request for data in the public interest without success. Finally, the chairman of the foundation informed him that he will issue the requested data if the student would pay a cost reimbursement of HUF 72,000 calculated by him (3 full days/24 hours, HUF 3,000/Man hour). The investigation of the case revealed that the details of the cost reimbursement were inadequate, moreover, according to the foundation’s statements, compliance with the request did not impede the discharge of its basic duties. Having been called upon by the Authority, the foundation issues the requested data free of charge. (NAIH/2020/4267)

7. Media and the public nature of the Internet

7.1. The right “to be forgotten”

More and more people turn to NAIH in cases related to the media, the public nature of the Internet and, in this context, the enforcement of the right to erasure (“to be forgotten”), so this type of cases plays a much greater and much more emphatic role than in preceding years. It is warranted to provide help and guidance to broader strata of society with regard to the Internet, which increasingly determines our everyday life, using the instruments of publicity. Similarly to other rights of the data subjects, the right to erasure set forth in Article 17 of the General Data Protection Regulation is not absolute, hence it can be subject to restrictions, if appropriate guarantees are in place. Compliance with an unfounded or excessive request can be rejected, and EU or national law may also include restrictions; also, the General Data Protection Regulation specifies certain case types when the obligation to erase is not enforced: continued processing may be regarded as lawful, if it is necessary for the exercise of the fundamental rights and freedoms of others (...). One of these is the freedom of expression and the right to be informed. The right to free expression is one of the outstanding fundamental values of a democratic constitutional state, which guarantees that the individual is able to formulate and express his ideas and opinion, thus it contributes to the free flow of various views and ideas. The freedom of expression includes the right to be informed, i.e. the freedom to receive and disseminate information and, on that basis, the user has the right to obtain, forward or publish data in the public interest or data accessible on the grounds of public interest using modern technologies, within the framework of the constitution.

In a specific case, a former actor in a reality show initiated the launching of the Authority’s data protection procedure, because a major Internet news portal did not remove an article published in 2014 containing his personal data in spite of his request (the article reports that the complainant got the worst score at a scheduled sympathy vote held among the actors). The article contained only the nickname of the complainant (VVX YZ) which however cannot be linked directly to the current professional career of the complainant. The full name of the complainant is not found among the search results of the Internet news portal concerned, whereas the Google search engine indicates hundreds of thousands of hits for the various modes of the nickname. According to the position of the Authority, taking all the essential circumstances of the case into account, the news portal rightfully referred to the freedom of information and the right to be informed when rejecting the erasure request. Moreover, NAIH attached importance to stating that the data subject himself disclosed in the course of the programme that he was going into law (he was a law student at the time when he was admitted to the show), and undertook to act in the reality show and all the concomitant risks in the knowledge that the Budapest Bar initiated a disciplinary procedure against the attorney-atlaw acting in the previous season of the show to establish whether his acting in the show was worthy of and reconcilable with practising the vocation of an attorney-at-law. NAIH was also aware of the fact that the photo published in the news portal concerned was an official press photo, which the television company published and provided to all press organs expressly with the purpose of being used as an appropriate photographic illustration in all reports concerning the show. Summarising all this, in its decision closing the procedure, NAIH decided that reporting on a person who has volunteered to appear as a public figure in a programme with a particularly high audience rating broadcast for months on a national terrestrial television channel in Hungary and on a specific event related to the show complies with the exception rule based on Article 17(3)(a) of the General Data Protection Regulation (exemption from the right to be forgotten). (NAIH 2020/842)

An opposite example: NAIH helped in the full enforcement of the right to be forgotten in the case of a complainant who as an employee of a church had been involved in a notorious scandal over 10 years ago, since then he left his church vocation and requested a major Internet news portal several times to erase the article on him, but he did not receive an answer of merit to his request. As the article contained special category data of the data subject (those related to his sexual life and orientation), the Internet article can be lawful only if over and above the existence of the legal basis according to GDPR Article 6, the condition in Article 9(2) is also met. According to NAIH’s position, the fundamental right of third persons to be informed is not infringed, if an old information about a person who is no longer in his former public office, is no longer accessible; moreover, the article objected to has no news value owing to which the erasure or anonymisation of the article would have a substantially negative impact on the daily operation of the news portal. At the same time, it is unambiguous that the “scandal chronicle” has an extraordinarily negative impact on the current private life of the data subject. As the data processing practice of the news portal infringed the complainant’s right to the protection of his personal data, NAIH called upon the controller to erase all the personal data on the basis of which the complainant could be directly or indirectly identified. If this can only be achieved by removing the entire article, the controller should erase the content accessible in the page objected to and process requests from data subjects appropriately in the future. Upon NAIH’s call, the news portal fully complied with the data subject’s earlier request. (NAIH 3865/2020)

Similar arguments and counterarguments clashed in the case which was also closed successfully. The content objected to was a report of four years ago about the Christmas preparations in a penitentiary institution and how the inmates experienced the festivities and in what kind of atonement programmes they participated during this period. After his release from prison, one of the actors realised how detrimental the publicity concomitant with his being in the report was for him. The content provider concerned expounded to NAIH that in their view, the complainant’s erasure request was unfounded because he voluntarily made a statement in the report, hence the legal basis of processing was the data subject’s consent and the processing of the data was necessary for the exercise of right of the freedom of expression and information. They also referred to Article 6(1)(c) of the General Data Protection Regulation, according to which the processing was necessary to meet the legal obligations of the controller. In terms of the appropriate legal basis, NAIH primarily examined whether the right of the community to be informed could in this case lawfully restrict the right of the data subject to protect his personal data. As the earlier status as inmate is a sensitive information enjoying particular protection, the lawfulness of disclosure would need to be considered even if the data subject were currently serving his sentence of imprisonment. In view of the passing of time and the fact that his term in prison ended, the primacy of the right to the protection of privacy can be clearly established. Ultimately, the Broadcaster fully met NAIH’s call. (NAIH 5421/2020)

In 2020, the Authority launched its data protection investigation ex officio in two parallel cases in relation to the processing practice of the markmyprofessor.com website. Many complaints were lodged against the site earlier (see NAIH Report of 2018, p. 126), but the earlier position of the Authority was consistent: university professors undertaking scientific public acting have an obligation to tolerate the negative evaluations and criticisms related to their professional activities from students; but this should not, of course, result in disrespecting human dignity for which the operator of the website is also responsible. In these cases, however, the infringement of the data subjects’ rights could be established – by failing to respond in substance on time to the requests of the data subjects sent to it, the controller infringed their right to access and, closely related to this, the right to be informed. It should also be underlined that the provision of information as requested on time is of decisive significance from the viewpoint of the transparency of the operation and order of data processing by the controller as well as the enforcement of the requirement of a fair procedure. In accordance with the above principles, pursuant to Article 12(3) of the General Data Protection Regulation, the controller has to inform the data subject of the measures taken as a result of the request according to Articles 15 to 22 without undue delay but definitely within a month from the receipt of the request. In case of need, with a view to the complexity of the request and the number of requests, this period may be extended by an additional two months. Pursuant to Article 12(4) of the General Data Protection Regulation, if the controller fails to take measures as requested by the data subject, it has to inform the data subject of the reasons for not taking the measure and about the fact that the data subject may lodge a complaint with a supervisory authority or exercise his right to judicial remedy without delay, but at the latest within a month from the receipt of the request.

In one of its procedures, NAIH also examined that the controller failed to update its Privacy Statement published in its website since the entry into force of the General Data Protection Regulation (25 May 2018), and its contents were not updated. The purpose of the Privacy Statement is that the controller should provide full information to the data subjects of the possibilities of enforcing their rights to informational self-determination set forth in the General Data Protection Regulation and the Privacy Act in accordance with the expectations set in relation to the data processing operations it carries out. Following NAIH’s action, the controller amended its Privacy Statement as appropriate and published it in the website operated by it on 1 September 2020.

In view of the controller’s cooperation and the practical problems due to the pandemic, NAIH only reprimanded the controllers in both cases. (NAIH 4762/2020 and NAIH 5911/2020)

The Authority launched a data protection procedure upon request, in which the data subject complained that a writing was published in an investigative news portal, which it is still accessible there, whose video annex was a video captured by a drone inter alia of the property held by the data subject, its location and internal areas, expressly pointing to the owner of the property. Basically, the drone video shows parts of the property that cannot be seen from a public area, its internal court and garden area, its design, the internal parts of the garden, the garden furniture installed and other parts of the building surrounded by high trees and not visible from public areas in high resolution. According to the Complainant’s position, the parts of the property not visible from a public area carry information that can be clearly associated with the owner, thus qualify as personal data according to the General Data Protection Regulation, whose processing, particularly their publication, is unlawful. In its statement NAIH declared that the property shown in the drone video is not the residence of the data subject, it only shows the built environment, the plot of land, its location and the building on it, and the video does not show any natural person, no natural person could be identified in it, and irrespective of the fact that the video was not made from a public area, no conclusion can be drawn from the property (detrimentally) influencing the data subject or any other person, their reputation, rights and legitimate interests. Nobody objected to the other statements in the article containing the drone video complained about, such as the business and governmental relations of the business undertakings held by the data subject, the volume of their activities, the magnitude of their profits, nor was there any objection to the fact that the same article published the name of the data subject in relation to the purchase of the property shown in the drone video, the fact of the purchase, the property, the reference to the property as the registered address of the business organisations held by him, the size of the plot or its location. Based on the practice of the constitutional court concerning public affairs and public actors and the freedom of expression, NAIH accepted that the report on the data subject’s investment into the property and on its development/refurbishment verifies the data processing by the controller news portal based on Article 17(3) (a) of the General Data Protection Regulation.

The decision notes that a number of data protection issues related to the use of drones await clear settlement and for this reason a uniform European regulation was enacted recently with a view to the safe use of drones. The rules of Commission Delegated Regulation (EU) 2019/945 of 12 March 2019 on unmanned aircraft systems and on third country operators of unmanned aircraft systems, and Commission Implementing Regulation (EU) 2019/947 of 24 May 2019 on the rules and procedures for the operation of unmanned aircraft (hereinafter: Implementing Regulation) are mandatory and directly applicable in all the EU Member States, including Hungary. In its Implementing Regulation (EU) 2020/746 of 4 June 2020, the Commission decided to postpone the starting date of the applicability of certain rules of the Implementing Regulation because of the COVID-19 pandemic. Accordingly, the provisions of the Implementing Regulation have to be applied only from 31 December 2020. (NAIH 4228/2020)

In the so-called “Forbes cases”, the Authority imposed data protection fines totalling HUF 4.5 million on Mediarey Hungary Services Zrt. publishing the Hungarian Forbes magazine (hereinafter: Publisher); it is, however, exceedingly important to underline that the position of the Authority is not that it would be fundamentally unlawful if, in the course of discussing an issue of public life, a journalist sorts businessmen and companies into a list according to well-grounded professional criteria and reports their activities to the public in this form. Such a list may be compiled from accessible sources and business data and the list can be published; there are, however, stringent requirements concerning this which is set forth by the General Data Protection Regulation and the Publisher as controller must meet these requirements.

In its decisions, the Authority established that the Publisher infringed the relevant provisions of GDPR by failing to carry out an adequate interest assessment of its own legitimate interest and those of third parties (the public) and failed to inform the data subjects of this in advance and it also failed to provide adequate information on all the substantial circumstances of processing and of the right of the data subjects to object to the processing of personal data and, furthermore, it failed to provide information on the possibilities of the enforcement of their rights in its answers to the requests of data subjects aimed at exercising their rights in relation to the processing of data in the printed and on-line versions of its publication listing the largest family undertakings and in the printed and online versions of its publication containing the 50 richest Hungarians published at different times in 2019. The court review of these decisions is in progress. (NAIH/2020/1154) (NAIH/2020/838)

In another of the Authority’s data protection procedures, the subject matter was an on-line report of a court hearing of a criminal case related to the discharge of public duties by a former mayor (the complainant was a mayor and as such had a public function and qualified as a public actor at the time of the alleged infringement upon the submission of the request and at the time of launching the Authority’s data protection procedure). The Authority did not establish any infringement here, because the removal of this information would violate the freedom of the press and of expression and the right of the public to be informed.

(NAIH/2020/1354 and NAIH/2020/1356)

7.2.Social media

NAIH or rather its Department of the Freedom of information received numerous complaints in relation to the data processing practices of the users of the Facebook social site, primarily those of various groups, often closed groups and individuals, as well as their shared content in 2020. In the light of these complaints, NAIH published a general information document^{^[1]} accessible in its website.

Only content which do not violate the rights of others, the principles of the social site and other rules and conditions related to the general use of the Internet may be shared. Of these, the most important is that an appropriate legal basis is needed for the processing of personal data (generally the consent or permission of the data subject). In the event of unlawful processing – for instance arbitrary posting of photos presenting another person in a unpleasant, embarrassing situation, libellous commenting, the sharing of prohibited content, etc. – the private individual controller can also be called to account and he may expect severe legal consequences. Pursuant to the General Data Protection Regulation, the rights of the data subject include the right to access (information related to processing), the right to rectification, the right to erasure (“the right to be forgotten”), which may in the given case be restricted by the right of others to freely express their opinion or to be informed, the right to restrict processing, the right to data portability and the right to object. It is very important that the data subject himself should be careful about his personal data, for instance, he should use the data protection settings appropriately and do everything in order to prevent unauthorised persons from accessing his personal information. NAIH clarified the responsibilities and possibilities of the administrator of a social site, as well as the action an injured person can take if the content shared on a social site violates his rights. Following the investigation of the case, NAIH may impose a heavy fine during its data protection procedure in the most severe cases and it may even file a criminal complaint. The data of the European users of Facebook and the socalled Facebook products (Messenger, Instagram, WhatsApp) are processed by Facebook Ireland Ltd., because of its registered office is in Ireland, the General Data Protection Regulation designates the Irish data protection authority as the lead supervisory authority in investigations against Facebook. If necessary, NAIH forwards the complaints received from Hungarian users to them and it may itself join the investigations as the supervisory authority concerned.

At the same time, substantial issues of jurisdiction have arisen not only in Hungary, but also in a number of Western democracies. The evaluation of some of the technology-based data processing operations on the Internet depend to a great extent on the set of constitutional values of the given country; thus decision on these should not be left to the global tech giants operating on a business footing and run by their less than fully transparent self-regulators, rather than putting them under the jurisdiction of the country where the eventual infringement took place or in which its impact is strongest based on the principle of national sovereignty.

Only the bodies protecting rights acting within their constitutional powers of the given country (such as the data protection authority, the courts, the constitutional court) are authorised and called to make well-founded decisions on constitutional fundamental rights and values, in these cases the primacy of national law prevails in the sense of both substantive and procedural law (this is also acknowledged by the law of the European Union). The free opinion expressed on the Internet is a subject matter of the law to be protected in terms of data protection (if we assess opinion as personal data) and the assessment of the constitutional right to express an opinion is generally the result of serious constitutional weighing as shown by the cases expounded above. Soon EU law will have to find a reassuring response to this challenge.

7.3. Is a message sent through Facebook a request for data in the public interest?

A citizen posted questions to a municipality through Facebook, the social media site, which remained unanswered. Pursuant to Section 28(1) of the Privacy Act, anyone may submit a request to access data in the public interest verbally, in writing or electronically; but there is no legal regulation to require municipalities to be present on social medial sites. So, it is also optional whether or not they respond to messages or questions received and read there. According to the Authority’s position, the questions posed through social media sites do not generate legal obligations for which anyone could be called to account, thus we recommend those requesting data to contact municipalities, other bodies discharging public tasks directly as set forth in Section 28(1) of the Privacy Act through one of their official contact points. (NAIH/2020/8491)

[1] https://www.naih.hu/files/Tajekoztato_kozossegi_mediaban_megosztott_tartalmakrol.pdf

8. Data of persons in public service accessible on the ground of public interest

The interpretation of Section 26(2) of the Privacy Act continues to cause problems for controllers in the case of requests for the personal data of persons acting within the responsibilities and powers of a body discharging public tasks. The assumption that only those of the personal data of persons discharging public tasks are accessible, which are listed item-by-item in the legal regulations applicable to their legal standing. If these persons take action within the powers and responsibilities of the body discharging public tasks, other personal data related to the discharge of their public tasks are also accessible, but only to the extent indispensable for ensuring the transparency of the discharge of the public tasks. (Naturally, extended access does not apply to the personal data of administrative or cleaning staff.)

NAIH bore in mind this later condition when investigating whether a physician’s prescription practice can be qualified as other accessible personal data of the physician related to the discharge of his public tasks. Here we have the entirety of actions taken with a view to discharging his public tasks and are closely related thereto. At the same time, there may be several degrees of access to the prescription practice with the most complete access being the prescription data of a physician for a specific medication. According to NAIH’s position, access to the prescription data for specific medications is not indispensable for the transparency of the prescription practice of physicians as pursuant to relevant legal regulations, the expected values established by ATC groups^{^[1]} and not by individual medications constitute the basis for the legal consequences of the prescription behaviour of physicians. (NAIH/2020/4900)

As it has arisen in several cases, so it is important to underline that NAIH’s position continues to be (in agreement with the unbroken Hungarian practice of applying the law, the earlier decisions of the Constitutional Court and NAIH’s statement NAIH/2015/7163/2/V) that the range of data specified in Section 179 of the Act on Civil Servants are data accessible on the grounds of public interest in the case of employees subject to the Act on Government Administration (hereinafter: Government Administration Act) and the bodies of special legal standing and on the legal standing of their employees, even if there are no specific provisions requiring accessibility based on the phrase “personal data relevant to performing public duties” stipulated in Section 26(2) of the Privacy Act. (NAIH/2020/1305) Accordingly, NAIH did not accept the reason for rejecting a request concerning data for the salary and bonus payments of the district offices from the Zala County Government Office that the Act on Government Administration does not provide for the accessibility of the personal data of government officials subject to its scope with the exception of the data specified in Section 186. Data on bonus payments, for instance, is related also to the quality and quantity of work performed, as well as criteria characterising the discharge of the public tasks, access to the data requested can and must be adjudged exclusively based on Section 26(2) of the Privacy Act, in view of the fact that other legal provisions requiring access to the data are not currently in force. (NAIH/2020/1496).

The argumentation of the Bács-Kiskun County Government Office was also unacceptable because if the civil service legal relationship of the person discharging public duties is terminated for a reason related to the discharge of his public duty, the reason for and time of termination are “data relevant to performing public duty”. The Government Office accepted this position and complied with the data request. (NAIH/2020/2365)

In relation to whether the documentation of the winning application by the head of a social institution already elected can be issued, NAIH considered the situation unrealistic in which the technical materials of the tender dossier would contain data and information, which result in a positive evaluation by the decision-maker, but cannot be accessed by the public. (NAIH/2020/8803)

The detailed job specification of a given public employee (which includes his work processes and activities, tasks, functions and networks, including goals, main areas of responsibility and the conditions under which he performs his work as well as the authorities and powers he may exercise) are data accessible on grounds of public interest, irrespective of the fact that they Act on legal standing does not provide for it. (NAIH/2020/6526)

In relation to the accessibility of a work contract concluded with the employee in a non-managerial position of a non-profit limited liability company held by a municipality (municipal television), NAIH expounded that it must be established whether the person concerned discharges public duties, in which of the public duties performed by the non-profit limited he participates and which are the data in his work contract which are relevant to the discharge of public duties. (NAIH/2020/2948)

At the same time, the certificate verifying the highest level of education of a mayor is not accessible on the grounds of public interest because there is no legal regulation specifying the level of education that would be the precondition to filling the position of mayor. (NAIH/2020/5627).

[1] Pursuant to Section 3(13) of Act XCVIII of 2006 on the General Rules of Secure and Economical Supply of Medicines and Medical Aids and of Pharmaceutical Trade: ATC group means the classification of medications according to their anatomical, therapeutic and chemical effects.

9. Transparency of municipalities

9.1. Data accessible with respect to the utilisation of municipal assets

Relative to NAIH’s guidance concerning the transparency of the operation of municipal bodies published in 2019, a new question arose in 2020, namely what data are accessible under a request for data in the public interest in the case of a “public actor tenant”. In view of the earlier statement of the data protection commissioner^{^[1]} and the judgments of the Constitutional Court^{^[2]}^{^[3]}, the Authority’s position is that when a natural person, who is public actor, rents a property held by the municipality and this fact is in the public domain or there is a statement about it by the data subject, the name of the tenant, the address of the tenement, the existence and period as well as the legal grounds for the rental relationship and the amount of the rent established are accessible by anyone on the grounds of public interest. In the case of so-called special public actors [see Constitutional Court Decision 26/2019. (VII. 23.)] the controller (municipal executive) is responsible to assess access to which data would facilitate the transparency of the management of municipal assets without giving rise to disproportionate infringement of the privacy of the data subject (fundamental rights protection test). [NAIH/2020/6790.]

In another statement, the Authority separated access to the data of natural persons accessible on grounds of public interest, who have concluded a contract with the municipality, from the accessibility of the names and other personal data of the municipal tenements rented on a welfare basis. The name and the personal data concerning the existence of the rental relationship of a natural person renting a tenement from the municipality (the address of the tenement and the period of the rental relationship) are accessible on the grounds of public interest even if the tenant rents the property owned by the municipality on a welfare basis; however the tenants of municipal properties rented on a welfare basis cannot be “listed”. According to Annex 2 point (j) of Act LXXVIII of 1993 on Certain Rules concerning the Rental of Flats and Premises and their Sale (from which the law does not provide any possibility to deviate), the differentiated amount of the rent on account of the nature of renting – welfare, cost-based or market-based rent – is part of the mandatory content of the municipal decree enacted on renting flats. It follows from this that the rent established by the local body of representatives, including the amount of the welfare-based rent, is considered data in the public interest accessible to anyone. [NAIH/2020/5043.]

Related to the above, a citizen requested data concerning decisions made at a closed session of a city municipality with regard to the utilisation of municipal assets (designation of tenants, renting municipal property, sale, designation for sale) and the valuers’ opinions and data related to tendering as part of the decisionmaking process. In the course of its investigation, the Authority established that in contrast to the controller’s statement, the body of representatives regularly makes its decisions on asset utilisation issues in closed meetings and the data of the decisions made in closed meetings, which should be accessible are unavailable for citizens on a public interface. [NAIH/2020/7971.]

9.2.Municipal meetings, “leakages”

The Authority carried out its data protection procedure investigating a request, according to which a representative of a rural municipality uploaded a voice recording he made of a private meeting convened by the mayor without informing, and obtaining the consent of, the data subjects, to his own public actor’s site of the community portal. The subject matter of the meeting was a construction project with severe impact on the built and protected natural environment, whose licensing process commanded nationwide attention because of the protestations of local residents and environmental activists. The mayor requested the Authority to conduct its procedures on the grounds that the voice recording – expressly his voice recorded – was published without his permission, whereby his right to the protection of personal data was infringed. The Authority rejected the complainant’s request on the following grounds:

Municipal transparency is a basic principle protected by law. The Municipal Board of the Supreme Court declared that access to the meetings of the municipal body of representatives is an important requirement of a democratic constitutional state, decision-making with the exclusion of the public may only take place in warranted cases predetermined by law within a narrow range. The participants of the given discussion might have been the participants of a meeting of a municipal body of representatives convened regularly who acted as public actors discussing and obtaining new information on the planned investment into a hotel regarded as an outstanding public affair by citizens directly affecting the town and its residents. In its decision, the Authority underlined that the fact of a discussion on an investment planned in a Natura 2000 protected nature conservation area and any information discussed in relation to that investment are to be regarded as environmental information to which privileged wide-ranging access must be guaranteed to the public. Because of the above circumstances meriting individual consideration, the Authority exceptionally accepted the lawfulness of processing even though the voice recording was made in a covert, secret way and the recorder did not inform the data subjects of its publication. (NAIH/2020/4014)

The case in which a journalist turned to NAIH with regard to video and sound recording equipment “found” in the meeting room of the body of representatives of a city of county rights also commanded a great deal of interest. The data available to NAIH did not verify any fact or circumstance indicating that there actually was an infringement of data security (incident), but it called attention to the fact that if there was unlawful sound or video recording that would not qualify as a data protection incident, but as unlawful processing. (NAIH 6636/2020, NAIH 6599/2020)

In a case related to access to votes cast at a closed session, the election of a new external committee member took place under one of the agenda items of the initially public meeting, in the course of which a closed meeting was ordered upon the request of the person concerned. According to the complaint, the opposition representative unlawfully disclosed the data concerning the voting by name on the decision made in a closed meeting.

The legal rules applicable to the member of a committee of a body of representatives who is not a representative (conflict of interest, honorarium, benefits in-kind, cost reimbursement) are the same as those applicable to the municipal representatives as in the course of performing the committee’s work, they participate in decision-making and may have functions with very similar responsibilities to those of members of the committee who are representatives. In the course of the procedure, the Authority underlined that pursuant to Section 46(2)(b) of Act CLXXXIX of 2011 on Hungary’s Municipalities (hereinafter: Municipalities Act), the body of representatives shall hold a closed meeting upon the request of the data subject for the discussion of elections, appointments, dismissals, giving and withdrawing managerial mandates, launching disciplinary procedures and personnel cases requiring a statement. In such a case, the primary criterion is the protection of the personal data of the data subject as he is entitled to request a closed meeting. The data generated in the course of the discharge of the public duties of the representatives making the decisions, including their votes cast for the decision, qualify as data accessible on the grounds of public interest pursuant to Section 26(2) of the Privacy Act. The Authority supported its position with the provisions of the statement ABI/1344/K/2006-3 of the Data Protection Commissioner, according to which “[…] those applying the law shall take particular care in examining whether the conditions of ordering a closed meeting and thereby restricting access for the public obtain. […] In view of the justification for holding a closed meeting, the right of inspection does not apply to the protocol of the closed meeting. However, if the minutes of the closed meeting contain data which are otherwise accessible, information must to be provided on it. Such data are, for instance, the decision itself or specific data concerning public finances and contracts. In my view, the representatives’ votes cast in a closed meeting should be regarded as data accessible on the grounds of public interest, unless it was a secret ballot. The constituents have a right to monitor the activities of the representatives and of the body of representatives even in the case of holding closed meetings to the extent that it is not concomitant with the infringement of trade secrets and the right of others to the protection of their personal data (excluding representatives). [...]” (NAIH/2020/5737)

9.3. The right of the mayor and of the municipal representative to access data

In our reports we regularly mention^{^[4]} the problems related to the right of municipal representatives to be informed emphasizing that if the representative wishes to exercise his right to access data in the public interest or data accessible the ground of public interest, and not his right to be informed as set forth in the Municipal Act, the rules of the Privacy Act are to be applied when complying with the data request just as in the case of any other citizen. Being a mayor or representative in itself does not authorise these persons to have access to and process personal data. A representative does not have independent responsibilities and powers, his “work as a representative” consists in the participation in the preparation of decisions on certain cases within the competence of the body of representatives and its committees, in the organisation of the implementation or the control of the decisions. It is another matter if a law or municipal decree enacted on the basis of some law authorises the mayor and/or the representative to have access to some kind of data and to process them with a view to discharging his public duties or if the body of representatives of the municipality entrusts him individually or as member of a committee with the planning organisation or control with a task within the competence of the municipality. In such cases, the representative/ mayor may process the indispensable personal data and those listed in legal regulation complying with the principle of purpose limited processing.

In a submission for consultation received by the authority, the mayor of a rural municipality wished to have access to data related to local tax and taxpayers. The data concerning taxation qualify as tax secret, thus the mayor and the body of representatives are authorised to access them only if the municipal tax authority (the municipal executive) decides that pursuant to Act CL of 2017 on the Order of Taxation it is necessary to publish a refutation or to publish the range of data specified in Section 130(1) as is customary at the place or if the data subject has consented to using the tax secret. A mayor and members of the body of representatives are not authorised to have access to and process tax secrets, they may have access to certain tax types and the data concerning the amount of tax arrears in relation to local taxes in a way that is not suitable for the identification of persons. (NAIH/2020/7554/2).

In another submission for consultation, the head of a long-term residential home for the elderly asked questions in relation to forwarding certain personal data of the residents to the municipality. The data requested by the mayor concerning those looked after in the social institution, their relatives, those waiting for vacancies may be issued based on Section 24 of Act III of 1993 on Social Administration and Welfare Benefits. Just because a municipality wishes to takeover a social institution, the issue of personal data of the residents, the persons waiting for vacancies and their relatives does not comply with the rules of either GDPR or the Social Act even if it is said to be part of the preparation for the takeover. (NAIH/2020/7560/2)

In another case, a municipal representative submitted a request in connection with the processing of personal data from the land registry in the body of representatives’ proposal related to their right of pre-emption. The Authority underlined that in making proposals for the meeting of the body of representatives on its agenda accessible to the public, the lawfulness of the processing of personal data must be complied with and in the specific case, in addition to Act V of 2013 on the Civil Code, the rules of Act CXLI of 1997 on the Land Registry must also be taken into account. According to the position of the Authority, using public access to the land registry and the right to access data on the property sheet in a way that deviates from the original purpose of the accessibility of property data infringes the right to the protection of personal data, including the requirement of purposelimited and fair processing. With a view to the enforcement of the principles of data processing, the body discharging public duties must examine in every case whether the restriction of accessibility is warranted and if so, in the case of which data. (NAIH/2020/7660/2)

9.4. Cases of the self-governments of ethnic minorities

In 2020 (unexpectedly relative to previous years), the Authority received a series of complaints against the self-governing bodies of ethnic minorities (requests for data in the public interest, unjustified extension of the time limits for compliance, demanding cost reimbursement, failure to disclose documents electronically). In the course of the procedures, the Authority paid particular attention to the content of the agreement between the municipality and the self-governing body of the ethnic minority in accordance with Section 80(3) of Act CLXXIX of 2011 on the Rights of Ethnic Minorities. Upon the recommendation of the Authority, the municipality under investigation initiated a review of the agreement already in force, and the amendment of the areas of cooperation in order to enable access to the data in the public interest and the data accessible on grounds of public interest of the self-governing bodies of ethnic minorities in the way required by the Privacy Act. (NAIH/2020/8134)

9.5. Disclosure lists by municipalities

Every year, NAIH receives a number of complaints concerning the deficiencies in meeting the disclosure obligations of municipalities and business organisations in municipal ownership largely in relation to the documents of the meetings of the body of representatives (minutes, submissions, decisions, decrees) and data related to financial management (contracts, grant applications). If, in the course of its investigation, NAIH establishes deficient electronic disclosure, it calls upon the body concerned to disclose the relevant data and documents. By and large, NAIH’s measures have been successful and the municipalities endeavour to comply with NAIH’s call.

9.6. Statements of assets

In view of the questions recurring year after year, particularly with respect to the mayor, the deputy mayor and the municipal representatives, NAIH published a summary guidance paper on the accessibility of statements of assets in its website in 2020.^{^[5]} Pursuant to the provisions of the Privacy Act and of the Municipalities Act, the statements of assets by the mayor, the deputy mayor and the representatives are accessible on grounds of public interest and they must be made accessible to anyone by way of data request. Based on the special rules of Section 39 of the Municipalities Act, the committee members who are representatives are subject to an obligation to make a public statement of their assets, while external committee members have to make non-public statements of their assets, as there are no special provisions in the Municipalities Act for this situation, the provisions of Section 3(3) of Act CLII of 2007 on Certain Obligations to Make Statements of Assets govern, which stipulates an obligation to make non-public statements of assets even for those not employed by the public sector who would otherwise not be required to make statements of assets based on separate legal regulations for filling positions and performing tasks of extraordinary significance for the integrity of public life..

Currently, Annex 1 to the Privacy Act does not provide for the mandatory publication of the statements of assets of municipal representatives. At the same time, there is no provision to prohibit the publication of statements of assets by the municipalities in individual disclosure lists. The legal provision referred to fundamentally serves the purpose of enabling anyone to access to the statements of assets of municipal representatives without restriction. In view of the fact that publication in the Internet facilitates simpler enforcement of the constituents’ right to information and it is in line with the intentions of the legislator, publication in this way is permitted for municipalities but this option may be used only if they enact individual disclosure lists to that end. (NAIH/2020/755, NAIH/2020/1435, NAIH/2020/2813, NAIH/2020/7681)

9.7. Canine registry

In 2020, NAIH received a substantial number of submissions, in which the person requesting data wished to have access to various items of the canine register kept by the municipalities largely to learn the number and breeds of dogs in the given settlement/district. NAIH contacted the municipalities concerned and based on their replies, the following problems emerged:

Municipalities have user level access to the national register, but users cannot query the list of dogs kept in a given settlement in a breakdown by breeds from the database. The only possibility to obtain the data is if the user queries the roughly 600 dog breeds from the database one-by-one. Unfortunately, in many cases, the veterinaries, who enter the data of the animals in the register after marking them with electronic transponders (microchips), use some alternative name rather than the official name of the breeds when entering it (e.g. German shepherd dog: German shepherd, Germanshepherd, Gs, or West Highland white terrier: westie, weszti, etc.). According to the information provided by the municipalities, the credibility of the data is greatly distorted by the fact that only the veterinaries have a level of access to the register, which allows for the modification or erasure of the data of dogs that are no longer in a given settlement because they died or there was a change in ownership or the owner moved. Another problem is that the date of the dog census to be carried out by the municipalities every three years is not harmonised which means that the municipalities gather the data at different times. NAIH contacted NÉBIH (National Food Chain Safety Office), which confirmed that municipalities as users have access to the database, but they cannot launch a query by a single click that would list the dogs in their area of competence by breed. NÉBIH also agreed with the municipalities’ statement according to which a breed may appear in several forms; having recognised this, dog breeds can be selected from a drop-down menu for years now, and the correction of the inaccurate legacy data has begun. The data in the database cannot be altered by the municipality, not even by the operator of the database, only by the reporting veterinary. In view of the fact that the municipalities are truly unable to provide credible data on the number and breed of the dogs in their area of competence, the Authority finds it acceptable that individual municipalities direct persons requesting data to NÉBIH when meeting the requests for data in the public interest. The findings of the investigation are presented in the public guidance available in the website^{^[6]}. (NAIH/2020/233, NAIH/2020/234, NAIH/2020/239, NAIH/2020/581, NAIH/2020/583, NAIH/2020/584, NAIH/2020/1057)

[1] „[...] this category definitely includes all persons exercising public authority and deciding on the use of public funds. It is also clear that this is not a homogeneous group of people. Also, there are also no precise legal limits on what data persons performing public functions or acting in a public capacity are required to disclose and where their private life in the public domain begins. This can and should be decided on a case-by-case basis.“ [26/K/1999.]

[2] 30/1992. (V. 26.) AB, 36/1994. (VI. 24.) AB, 60/1994. (XII. 24.) AB, 7/2014. (III. 7.) AB, 1/2015. (I.

[3] .) AB, 3145/2018. (V. 7.) AB, 26/2019. (VII. 23.) AB

[4] See Annual Report of 2018 IV.2.2.

[5] https://www.naih.hu/files/Tajekoztato_a_vagyonnyilatkozatok_megismerhetosegerol.pdf és https://www.naih.hu/files/vagyonnyilatkozat_leporello_20201005.pdf

[6] https://www.naih.hu/files/ebnyilvantartas-2020-tajekoztato.pdf és https://www.naih.hu/files/ ebnyilvantartas-2020-leporello.pdf

10. TASZ’s comprehensive data request case

In 2019, the Társaság a Szabadságjogokért (TASZ; Hungarian Civil Liberties Union), a human rights association (hereinafter: data requester) submitted requests for data in the public interest to every government office in connection with the implementation of the provisions of the new Civil Code calling for the mandatory court review of decisions made prior to 2013 concerning the guardianship of persons excluding legal capacity. Every one of the government offices assessing the data request demanded cost reimbursement on the grounds that meeting the data request would disproportionately use the available labour force, the extent of which was greatly different county by county. The lowest amount was requested by Vas county at HUF 27,275, while the highest amount was requested by Hajdú-Bihar county at HUF 624,340. In view of this, the data requester submitted a second modified request for data to the government offices, in which they waived answering the question that would have required a review of the files, but referred to Government Decree 388/2017. (XII. 13.) on the mandatory provision of data by the National Statistical Data Capture Programme,^{^[1]} which requires district offices to mandatorily provide data on the review of the guardianship of people. Counties Csongrád, Fejér, Jász-Nagykun-Szolnok, Nógrád, Pest, Szabolcs-Szatmár-Bereg and Tolna, as well as the capital city Budapest met the data request without demanding cost reimbursement, but they received absolutely no answer from 12 government offices, so they contacted them with a third request for data in the public interest on 13 December 2019, relative to the earlier data request, this time only asking the questions below:

altogether how many reviews were launched for persons under guardianship,
of them, for how many reviews began within the statutory period, - and how many reviews were launched belatedly.

In their letter they stated that according to their experience (based on the answers of the government offices meeting the data requests free of charge) it can be established that the registries may be suitable for accessing more detailed data. The table summarises the results of the three submitted data requests:

Government office		1st data request		2nd data request		3rd data request
Bács-Kiskun		38,800		no reply		30,800
Baranya		111,956		no reply		no reply
Békés		282,239		no reply		8,742
Borsod-AbaújZemplén		120,957		no reply		90,938
Csongrád		236,802		no reply		521,123
Fejér		57,200		data provided		57,200
Budapest		105,000		data provided		no 3rd data request
Győr-MosonSopron		50,275		no reply		16,088
Hajdú-Bihar		624,340		no reply		388,841
Heves	312,743		no reply		no such data processed
Jász-NagykunSzolnok	76,560		data provided		no 3rd data request
Komárom- Esztergom	37,220		no reply		38,356
Nógrád	120,609		data provided		no 3rd data request
Pest	did not respond		data provided		108,000
Somogy	38,552		no reply		7,586
Szabolcs- Szatmár-Bereg	185,918		data provided		28,533
Tolna	37,428		data provided		18,860
Vas	27,275		no reply		15,441
Veszprém	44,040		no reply		30,784
Zala	124,212		no reply		124,212

In the first phase of the investigation, the Authority focused on cost reimbursement. When contacted by the Authority, all the government offices responded in merit: two government offices (Borsod-Abaúj-Zemplén and Heves counties) met the 2nd and the 3rd data requests without demanding cost reimbursement. Based on the replies received, the Authority terminated the investigative procedures in the case of the government offices of the counties Borsod-Abaúj-Zemplén, Heves, Jász-Nagykun-Szolnok and Nógrád and the Budapest Government Office as the circumstance giving rise to the investigation no longer existed as they met the data request. Depending on the content of the responses, the fact of the infringement of the Privacy Act and the severity of the infringement, the Authority continued the investigation against the other government offices and called their attention to the following:

if a body discharging public duties disregards a request for data in the public interest that in itself provides grounds for the infringement of the right to access data in the public interest,
Section 29(1)(a) of the Privacy Act does not exempt the body discharging public duties from responding to the data request, but only from re-disclosing the data, and is only applicable if the data request has been previously fulfilled,
the cost reimbursement communicated pursuant to Section 29(3) of the Privacy Act is not a preliminary calculation pursuant to the Act, but the actual determination of the cost reimbursement, which is indicated by the fact that if the requester accepts the amount communicated, the body discharging public duties may deviate from that amount only downward based on the actual costs incurred and it also has a reimbursement obligation pursuant to Section 5 of the Decree on Costs; moreover the requester may dispute not only the amount of the cost reimbursement, but its justification also, either in court or before the Authority,
transparency is best served by the institution providing information concerning the cost reimbursement charged for meeting the request for data in the public interest: the more detailed the information, the more efficiently it fulfils its role; also, the body discharging public duties will ab ovo be able to demonstrate both the justification for demanding cost reimbursement, its legal basis and the correctness of its amount in the event of a legal dispute/investigation in court or before the Authority,
as head of the government office, the government commissioner is responsible for the implementation of tasks related to the freedom of information (see Section 7(f) of Decree 3/2020. (II. 28.) MvM on the organisational and operational rules of the Budapest and county government offices),
in the cases under investigation, the data were collected by the organisational units of district offices or by government officials working for the county government office, which required 1 to 6 hours of work of one or two people at each organisational unit, which obviously does not qualify as disproportionate use of the labour force needed for discharging basic tasks, even if we otherwise naturally accept the fact that government offices are overburdened.

Upon the call of the Authority, the government offices complied with the data request almost without exception. Repeated third calls took place in altogether three cases with a view to the clarification of the data provided (the government office of one county continued to demand cost reimbursement even in the case of the third data request and another one failed to communicate the data generated to the requester for administrative or technical reasons). Based on the responses received, the case was closed finally in February 2021 in a reassuring manner. (NAIH/2020/1405)

[1] In table in Annex 1 to Government Decree 388/2017. (XII. 13.) on the National Statistical Data Capture Programme, (point 1210) subsection (21) of the part on the activities of the guardianship authority specifies the description of the data to be provided and the obligee: District office; the data of persons under guardianship (type of guardianship, persons under guardianship in a breakdown by age and sex, data on the review of subjecting them to guardianship, exclusion from the franchise, the person and employment relationship of the guardian and data of supported decision-making).

11. Data requests en masse

The following two new types of group requests for data should be separated from the above “poster child case”. In the first one, a private individual requester contacted 55 hospitals requesting the same types of data; he intended to submit data request all over the country. The requester posted questions to the hospitals concerning methods and procedures of medical science. The claimant objected to the fact that the public institutions complained against did not answer his data requests, a smaller number of them rejected the issue of the data or demanded cost reimbursement for compliance with the data request. According to the position of the Authority, the data requests submitted en masse and in a comprehensive manner could be suitable for a full-scale statistical monitoring of health care, but the group request for data was not aimed at rendering public affairs more transparent or discussing them, they did not directly facilitate access to information of merit on the discharge of the public duties of the given institution, hence they did not comply with the social purpose of the fundamental subjective right. (NAIH/2020/6118, NAIH/2020/6119, NAIH/2020/6120, NAIH/2020/6121)

Another complainant submitted a significant number of data requests for different data to the same municipality. He lodged 22 complaints with the Authority in 2020, however, the body discharging public duties had to comply with a great deal more data requests over a short period of time. Some of the requests were well-founded and accordingly the Authority called upon the municipality to issue the data, but in relation to the extension of the period open for compliance, the Authority accepted the argumentation of the municipality, namely that compliance with the large number of data request within a relatively short period of time would be concomitant with the disproportionate use of the labour force needed for the discharge of its basic activities and would greatly encumber the operation of the mayor’s office working only with a small headcount. (NAIH/2020/5857, NAIH/2020/6587, NAIH/2020/6299, NAIH/2020/6584)

12. The accessibility of environmental information

It can be concluded from the petitions that not only those requesting data, but also those processing them find it hard to negotiate their way in the system of environmental information: by which bodies process them, in what databases are they managed?

A request for the issue of the decisions concerning the environmental pollution reported by Mátrai Erőmű Zrt. (Mátra Power Plant Ltd, hereinafter: Zrt.) in the summer of 2019 and on 15 January 2020 was rejected by the Eger District Office of the Heves County Government Office (hereinafter: District Office) on the grounds that it did not process the requested data, but the complainant did not receive any further information. NAIH called the attention of the District Office to Section 12(6) of Act LIII of 1995 on the General Rules of Environment Protection (hereinafter: Environment Protection Act): “If the contacted body does not have the requested environmental information, it has to send the request concerning access to the information to the body that has the environmental information and to notify or inform the petitioner about the body having the environmental information from which to request the information.” The data requested by the complainant qualified as environmental information pursuant to Section 2(c) of Government Decree 311/2005. (XII. 25.) on the order on public access to environmental information. In addition to the District Office, the complainant contacted numerous other bodies and also lodged several complaints with NAIH. All this could have been avoided, had the District Office met its obligation to provide information. (NAIH/2020/4606)

The complainant also submitted a request for data in the public interest to the Mátrai Erőmű Zrt. (hereinafter: Zrt.), but according to the Zrt. the requested decision (imposing a fine because of the extraordinary water pollution caused by the sewage issuing from the industrial water reservoir at Őzse-völgy operated by the Mátrai Erőmű Zrt. between 22.07.2019. and 28.08.2020.) did not contain any data in the public interest or data accessible on the grounds of public interest because at the time of the data request, the Zrt. did not manage public funds, it was not a body discharging public duties and its shareholders did not include the Hungarian state whether directly or indirectly having majority or decisive influence; moreover, at the time of the data request it did not qualify as a public body or body discharging obligations related to the environment or providing public services or discharging other public tasks, which would have to make accessible the environmental information available to it, if requested pursuant to Section 12(3) of the Environment Protection Act. NAIH established that the Zrt. disregarded the obligation of users of the environment set forth in Section 12(9) of the Environment Protection Act, according to which “The user of the environment shall provide information on the data related to environmental load caused by it, its use of the environment and threat to the environment upon request to anyone”. The justification of the act clearly explains that “not only the bodies discharging public duties, but the users of the environment are also under an obligation to provide information, taking into account the rules of data protection and public administrative procedure”. The Zrt. clearly qualifies as a environmental user that uses the environment, burdens the environment and conducts activities polluting the environment, hence in NAIH’s opinion, the data in the requested decision are data accessible on the grounds of public interest. According to the position of the Zrt., complying with the request of the complainant would be contrary to the legitimate interest of the Zrt. that “the eventual criminal liability of the company should not be discussed in public, it should not be established based on the data issued by us to those requesting the data during a criminal procedure”, because according to the information provided by the Zrt., there was a criminal procedure in progress at the police stage on the grounds of the felony of damaging the environment at the time of the submission of the data request. Although Section 27(2)(c) of the Privacy Act permits the restriction of the right to access data in public interest and data accessible on the ground of public interest specifying the types of data with a view to prosecuting criminal acts (provided that the law enforcement agency confirms this in the specific case with its statement), it however does not include the “legitimate interests” mentioned by the Zrt. Complying with NAIH’s call, the Zrt. finally met the data request. (NAIH/2020/1819)

In another case, a waste management non-profit limited liability company (hereinafter: Kft.) should have answered the questions of what was the annual amount of waste received by one of its branches in a breakdown by type of waste in terms of quantity and the points specified in the IPCC permit. According to the Kft., the requested data are data accessible on the grounds of public interest, but they constitute trade secret of the Kft., which is not subject to Section 27(3) of the Privacy Act. In its investigation NAIH established that the requested data were accessible from the Uniform Waste Management Information System. According to Section 1(1) of Act LIV of 2018 on the Protection of Trade Secrets “Trade secret is a fact, information, other data or a compilation of these, related to a commercial activity, which is secret in the sense that it is not, in whole or in a configuration of its components, generally known or readily accessible to persons performing the affected commercial activity and therefore it has a commercial value, and which has been subject to reasonable steps under the circumstances, by the lawful beneficiary of the information, to keep it secret”. As data accessible to the public cannot qualify as trade secret, hence NAIH called upon the Kft. to issue the requested data, which the Kft. did. (NAIH/2020/434)

A persistent problem with data requests for environmental information is that controllers interpret requests for data in the public interest concerning environmental information as requests for access and make compliance with them conditional upon client status. A government office referred to non- client status when the complainant wished to have access to building permits and the underlying documentation. The area affected by the development was a nature conservation area under Natura 2000 protection, hence NAIH established that the requested data qualify as environmental information and as such data in the public interest. The government office met NAIH’s call and complied with the data request. (NAIH/2020/6703)

2021

1. Introduction

The annual number of cases handled by the Freedom of Information Department has increased again: in 2021, we handled nearly 1,200 cases (not counting notifications of so-called rejected requests).^{^[1]}

A large percentage of data requests were on the pandemic, but there continued to be vivid interest for old “hot topics” such as the cost and mode of travel by public officials, or the cost of exhibitions and other events organised using public funds.

Unfortunately, it happens frequently that it is difficult to identify the public authority handling the data even in cases of genuine public interest.^{^[2]} This is evidenced by a NAIH report where the requested organisation declined to forward the requested data even to the Authority in the case subject to the report, stating that NAIH was not authorised to access them.^{^[3]}

The most important "undertaking" in the life of the Supervisory Authority and the Department in 2021 (and 2022) is the launch and implementation of the Freedom of Information project. As beneficiary of the EU-funded priority project KÖFOP-2.2.6-VEKOP-18-2019-00001 “Mapping out and improving the efficiency of the Hungarian practice of the freedom of information” actual research work could begin at last in January 2021.

The contractors involved in the implementation of the project work under the professional guidance of NAIH, mobilising a team of around 60 experts. The research methodology and tools include: website analysis, pilot data request, online questionnaire, in-depth interviews, desk research and other background analysis (e.g. organisational analysis, international benchmarks, etc.). Situation assessment has been carried out in 2021 in each of the research areas and the results will be used as a basis for the research design and results. The four identified research areas are:

A. Access to information on municipalities

The full survey of the freedom of information practices of the roughly 3,200 local governments (of settlements and regions) operating in Hungary, as well as of the 13 national self-governments of ethnic minorities will be carried out;

in addition, summary statements will be made for the 61 regional and 2,197 local level self-governments of ethnic minorities.

B. Access to information on central public administration

In accordance with NAIH’s expectation, the most important research subjects are the agencies of central governmental administration including the ministries, but hospitals and vocational training centres as well as other agencies of the judiciary and the representations abroad are to be separately examined. The sector-specific focus areas were also designated (including the use of public funds, the transparency of applications, the transparency of legislation, the transparency of health care, and the enforcement of publication obligations related to typical employment relationships and public education.

C. Access to information on the activities of entities outside public administration, but managing public funds and/or discharging public duties

The research plan aims to review the websites of some 1,000 organisations, sending test data requests and online questionnaires to the target group with a uniform content and making at least 50 in-depth interviews. In addition, a series of focus group interviews are to be made involving citizens, NGOs and the representatives of the press experienced in data requests, and a detailed case study will be made, drawing deeper conclusions from the practice of several specific data request cases, with particular emphasis on the issues of trade secrets and copyrights and delineation of the range of subjects subject to the obligation of providing data.

D. And legal instruments and mechanisms which can facilitate (enforce) full access to data of public interest and data accessible on the grounds of public interest

The core issues of research include the provision of general information; the obligation of the parties to cooperate; self-reflection of agencies discharging public duties; the role of the press, NGOs and representatives; disclosure obligations; the private law elements of data requests; the content of data requests; the response of the controller; the rejection of fulfilment; the name and person of those requesting data; fulfilment of the disclosure of data and the issue of due dates; the mode of providing data; cost reimbursement; reasons for rejection; NAIH’s organisation, role and powers, the provision of evidence and the outcome of litigation in court procedures, fora of legal remedy and their nature (civil or administrative litigation); court distraint; the role of and interpretation of the law by the Constitutional Court; systemic problems of legal regulation; international law harmonisation; special regulation concerning environmental information.

The research places great emphasis on the examination of the so-called proper exercise of rights. As stated in Section 30(7) of the Privacy Act, a comprehensive, account-level audit of the management of a public body constitutes a limitation on the request for data of public interest, by analogy, a series of data requests aimed at a systemic review of a public body or resulting in the impossibility of daily work are not compatible with the constitutional purpose of a request for data of public interest, since the legislator has assigned this task and competence to the body responsible for oversight of the legality of the exercise of public authority. International conventions, such as the Aarhus and Tromsø Conventions, apply a general rule of unreasonableness to such cases.

[1] Pursuant to the second sentence of Article 30(3) of the Privacy Act, the controller keeps a register of rejected requests and the reasons for such rejections and it informs the Authority of the information contained therein by 31 January each year.

[2] When asked who decides, and on what basis, on the additional corrective supplementary pension increase the amount of which is determined by a government decree, the complainant received the answer from four government bodies that they are not competent, and when contacted by NAIH, the Pension Payment Directorate of the Hungarian State Treasury could only inform them that they are only executors. Factual data on general consumer price increases and pensioner price increases for the first eight months of the year under review are contained in the September bulletin of the HCSO for the month of September of the year under review, and the annual general and pensioner price increases expected on the basis of these data are included in the forecast provided by the Ministry of Finance. All these figures are included in the government's proposal drafted for the autumn of the year under review, prepared by the Minister without portfolio responsible for families in the Prime Minister's Office and the predecessor Ministry of Human Resources. Eventually, NAIH referred the data request to the Minister without portfolio responsible for families (NAIH-1017/2021)

[3] https://naih.hu/files/Infoszab_jelentes_NAIH -5567 -8 -2021.pdf

2. Access to information on the obligations of model-changing universities in relation to data of pu...

As from 1 August 2021, numerous Hungarian universities were transformed from a budgetary body into institutions maintained by foundations. Based on Section 4(1)(d) of Act CCIV of 2011 on National Higher Education (hereinafter: Higher Education Act), foundations, asset management foundations, public foundations or religious associations registered in Hungary may independently or together with another authorised entity found an institution of higher education. The transformed organisation is no longer a public university, but a private institution of higher education maintained by a foundation, which is maintained and owned by the foundation. Pursuant to Section 5(1) of the Higher Education Act, the institution of higher education and the organisational unit of the institution of higher education specified in Section 94(2)(c) are legal entities. Pursuant to Section 94(2)(c) of the Higher Education Act: “The founding charter of the private higher education institution may pronounce the organisational unit of the private higher education institution – not including public education institutions and vocational training institutions operated as organisational units that are legal entities based on law pursuant to Section 14(3) – to be a legal entity. The organisational unit obtains its capacity as legal entity through the registration of the founding charter or its amendment by the Office of Education.”

A further consequence of the change of ownership is that the university is no longer directly part of the central subsystem of general government. Section 95(3) of the Higher Education Act also sets forth that: “Private education institutions shall manage the assets placed at their disposal autonomously within the limits of their own budget as set out in their founding charters, or if public assets are at their disposal in compliance with the requirements applying to public finances”.” The transformation of financial management was concomitant with a number of practical changes (including if a commercial bank became the account managing financial institution of the university concerned).

The primary purpose of the freedom of information is transparency of the operation of the state and the use of public funds. Section 3(5) of the Privacy Act states that the data concerning the financial management of an organ or person performing state or local government duties and other public duties defined by law qualify as data of public interest. Pursuant to Section 26(1) of the Privacy Act, any organ performing public duties shall allow any person to have free access to data of public interest and data accessible on public interest grounds under its control, if so requested, with the exceptions provided for in this Act.

Pursuant to Section 2(2) of the Higher Education Act, the state shall be responsible for ensuring the operation of the system of higher education, while the responsibility of ensuring the operation of higher education institutions shall lie with their maintainers.

The goals and principles of the Act on Public Interest Asset Management Foundations Discharging Public Duties (hereinafter: Public Interest Asset Management Foundation Act) include that:

“(1) The state recognizes the role of public interest asset management foundations discharging public duties in creating social value and supports them in discharging public tasks and the implementation of their goals.

(2) In order to enforce the provisions of paragraph (1), the state protects the legal institution of public interest asset management foundations discharging public duties as particular legal subjects of private law and their autonomy according to private law and ensures the legal environment needed for their operation, including their organisational, financial and operational independence.

(3) When establishing a public interest asset management foundation discharging public tasks, the founder and the joiner ensure the asset elements and means of funding needed for the discharge of the public task.

(4) When designing Hungary’s budget at all times ensuring the financing conditions directly needed for the discharge of public tasks and by way of asset management by the public interest asset management foundations discharging public tasks shall always enjoy priority.”

Within its powers granted by Section 1 of Act XIII of 2021 on the contribution of assets and Section 1 (1a) of Act LXV of 2006 based on Section 3 of the Public Interest Asset Management Foundations Act, Government Decision 1413/2021. (VI.30.) on ensuring the conditions and funding necessary for the operation of certain higher education institutions and certain public interest foundations discharging public tasks in force since 30 June 2021 established the various foundations assigned to the various universities.

Pursuant to Section 5(1) of the Public Interest Asset Management Foundations Act, a foundation subject to this act may only be established for a purpose in the public interest. Additional details are settled by independent legal regulations in the case of every foundation, but Section 1(1) of the individual legal regulations include that “based on the Public Interest Asset Management Foundations Act, Parliament calls upon the Government to take the necessary measures to establish the foundation belonging to the university.

(2) In the course of the establishment of the Foundation, the minister in charge of education with regard to responsibilities and powers related to higher education (hereinafter: minister) takes action to represent the state.”

Pursuant to Section 4(1) of the same act, assets amounting to at least 600 million forints (minimum capital) must be contributed to the foundation for its establishment.

Based on the legal regulations presented, it can be established that the model changing universities qualify as bodies founded and maintained by public funds on the one hand, and they continue to qualify as bodies unambiguously discharging public tasks, on the other hand. Their maintainers are public interest asset management foundations discharging public tasks founded by the Hungarian State in accordance with the authorisation granted in the Public Interest Asset Management Foundations Act. The foundation is also founded by public funds, it manages public funds and discharges public tasks, hence it is an organisation subject to the Privacy Act.

It follows that there is a legal obligation to provide general information to publish the required information electronically and to respond to requests for data of public interest.

In view of the legal definition of public tasks, the number of students who pursue their studies at the university on a self-financed basis each year is irrelevant. If a university maintained by a foundation receives a request for data of public interest and the institution receiving the request processes the data, the university has to grant the request. If data are requested which can only be found in the possession of the foundation as maintainer, the university is expected to notify the person requesting the data of this.

NAIH has consistently underlined the above statements also in the course of international investigations addressing issues of the rule of law in Hungary.

3. Important decisions by the Constitutional Court

Constitutional Court Decision 4/2021. (I. 22.) AB: Members of Parliament requested the Constitutional Court to declare Section 5 of Act VII of 2015 on the Investment Related to the Maintenance of the Capacity of the Paks Nuclear Power Plant and the amendment of certain acts related to it (Project Act) unconstitutional and its annulment with retroactive effect. This provision restricts access to both commercial and technical data and the data laying the foundations for decision related to this, whose access would infringe national security interests and rights to intellectual property for 30 years. The Constitutional Court did not find the motion well-grounded. Decision concerning the restriction of the freedom of information is made by the controller even in the most extreme cases, it does not set in by the power of the law; at the same time, a discretionary restriction of access is ab ovo anticonstitutional. The restriction of access intended to be achieved by the Project Act has a legitimate purpose justifiable because of international obligations and the nature of the investment. By the Project Act, the restriction of the freedom of information in order to protect national security interests and intellectual property rights is justified and necessary for the protection of the commercial and technical data. Provisions requiring blocking access for thirty years cannot be regarded as a disproportionate restriction as this is not an ex lege restriction, only a legal presumption. As the Project Act is to be interpreted in line with the Privacy Act, the controller has to carry out a

“public interest test”, thus the restriction may be applied, if it is of an overriding social interest.

Constitutional Court Decision 15/2021. (V. 13.) AB: The petitioner, a Member of Parliament, requested the Constitutional Court to declare Section 1 of Government Decree No. 521/2020 (XI. 25.) on derogation from certain data request provisions at times of emergency (Government Decree) unconstitutional and to annul it. Based on the contested provision, the organ discharging public task has to meet data requests within 45 days instead of the 15 days specified in the Privacy Act, or in the case of an extension within 45+45 days, if meeting the request within 15

days would jeopardize the discharge of its public duties related to the emergency. The Constitutional Court declared that the contested provision complied with the conditions of restricting fundamental rights: combating the coronavirus pandemic, the reduction of its health-related social and economic impact and the mitigation of damage were purposes which constitutionally justify the restriction of the fundamental right and as such, they are proportionate to the disadvantage that the person requesting the data can obtain the requested information only within 45 or 90 days. At the same, it is a constitutional requirement that, when applying the Government Decree, the controller has to record the reasons, which make it probable that meeting the data request within the period set forth in the Privacy Act would have jeopardized the discharge of its public duties related to the emergency. Accordingly, when extending the deadline, it is not possible to refer to the pandemic in general, but the public task, which may remain unperformed, must actually be named.

Constitutional Court Decision 3293/2021. (VII. 22.) AB The petitioner requested the declaration of the unconstitutionality of warrant 8.Pkf.25.611/2020/3. of the Fővárosi Ítélőtábla (Budapest High Court) and its annulment. In the base case, the petitioner submitted a request for data of public interest to the Prime Minister’s Cabinet Office, from where he received an answer of refusal exceeding the period of 15 days open for this. Reacting to the submitted petition, the court terminated the procedure ex officio, stating that the petition was late because the period open for the petitioner to turn to the court begins when the controller falls into delay with meeting the data request. According to the governing judicial practice, the absence of a response is the first day of the period open for initiating a lawsuit and a subsequent response of rejection does not result in the reopening of the due date. The Constitutional Court rejected the petition because it could not examine whether the interpretation of the Privacy Act by the court was correct; as a result of the examination of constitutionality, however, it established that the petitioner’s right to turn to the court was not violated by the fact that the court calculated the period open for initiating litigation from the day of failing to answer.

4. Important court decisions

Pfv.IV. 20.419/2021/6.: In its petition, the petitioner requested the issue of its own documents made available to the defendant for its earlier audits. The Curia deemed that this demand did not meet the requirements set for having access to data of public interest, it cannot be qualified as a request to access data of public interest, because the petitioner’s demand for the issue of “documents” concerning itself does not and cannot serve the transparency of public affairs. In contrast to itself, through the data known to it, the purpose according to the Privacy Act cannot be interpreted, because it had already been obviously known to it how it used the public funds and other aid provided for its operation. So, the claim to be enforced in the course of the litigation cannot be reconciled with the social purpose of the fundamental right to access data of public interest.

Pf.20.053/2021/6.: The Ministry of Finance, having received the data request, called upon the person submitting it to clarify the request exceeding the 15-day period open for responding. Because of exceeding the period, the person requesting the data did not react to the call, but submitted a petition to the court of the first instance in due time, in which he requested that the court order the Ministry of Finance to issue the data. According to the judgment of the court of the first instance approved by the Fővárosi Ítélőtábla (Budapest High Court) the call for clarification was ungrounded as the data request was complete; also, the call was sent after the period open for this, hence the Ministry of Finance was ordered to issue the data according to the data request.

Pf.20.397/2021/4.: The controller charged the cost reimbursement beyond the 15-day deadline for response, thus it is considered late, hence the controller has to issue the data to the person requesting them without payment any cost, because missing the 15-day deadline for response according to Section 29(1) of the Privacy Act results in forfeiture of the right to charge cost reimbursement. Moreover, as the controller did not make use of the possibility to extend the deadline in accordance with Section 29(2) of the Privacy Act, one can justifiably draw the conclusion that in the controller’s view meeting the data request does not entail a disproportionate use of the labour resources necessary for the performance of core duties of the body entrusted with public tasks, hence it may not claim cost reimbursement with reference to this. The Fővárosi Ítélőtábla upheld the judgment of the court of first instance.

Pf.20.056/2021/7.: Pursuant to Section 29(2)(a) of the Privacy Act, if the request for data involves data generated by an institution of the European Union or its Member States, the controller shall contact the institution of the European Union or the Member State concerned without delay and it informs the requesting party thereof. The Fővárosi Ítélőtábla declared that failing to do so in itself cannot result in an obligation to issue the data.

Pf.420.2021/5.: According to the Fővárosi Ítélőtábla it cannot be a barrier to issuing the data, if the controller continuously reviews and modifies the data it processes in the course of its operation. If, the circumstances impeding the issue of the data subsequently cease to exist, the court may also order the issue of data of public interest, whose issue the defendant has previously refused on reasonable grounds.

Pf.50.050/2021/3.: According to the opinion of the Győri Ítélőtábla (Győr High Court), the defendant’s activity, which is only directed towards the technical and architectural implementation of the infrastructural background of some public task within the framework of a general contract, does not qualify as a public task, hence the issue of these data cannot be required from the entrepreneur.

Pf.20.234/2021/5.: Section 29(1a) of the Privacy Act provides for the refusability of data requests submitted within a year for the same set of data; however, the Fővárosi Ítélőtábla pointed out that as data of public interest may have several controllers, it is not an irregular exercise of rights, if the same person applies to several controllers with requests of the same content even simultaneously.

Pf.20.147/2021/6.: The information as to who drafted the information material of the ministry in question provides an opportunity for evaluating the work of a particular person. Data pointing to any special significance in the personal data requested to be disclosed with regard to the public activities of the persons concerned and their assessment did not arise in the course of the litigation, whereby public interest in disclosure would outweigh the individual interest in the protection of the privacy of the data subjects, therefore the Fővárosi Ítélőtábla did not order the controller to fulfil the data request.

Pf. 20.057/2021/7.: When the defendant controller refuses to fulfil a data request with reference to data compiled as part and in support of decision-making, regulated in Section 27(5) and (6) of Privacy Act, it must provide adequate justification. The total number of merit points obtained by applicants in the course of announced and adjudged job applications for judges and the obtained and opened merit points by the appointed judges constitute information on the data subject applicants qualifying as personal data. The argument that the number of merit points evaluates professional aptitude and is directly related to the discharge of public duties and hence data are accessible on the grounds of public interest cannot be substantiated by the final decision of the Fővárosi Ítélőtábla. The number of merit points received in the course of the job application for judges and the performance of judicial activity are not so closely related on the basis of which the number of merit points could be regarded as other personal data related to the discharge of public duties and therefore data accessible on the grounds of public interest.

Pf.20.351/2021/5.: Pursuant to the correct interpretation of Section 28(1) of the Privacy Act, the request for the disclosure of data of public interest can only be directed at the disclosure of data which exist at the time when the controller receives the request and data generated thereafter are conceptually excluded from its scope. This also applies in the case of this litigation, all the more so, because the petitioner did not request the issue of documents generated under a given case number, but any document generated or received by the defendant in relation to the report of the State Audit Office, this request can only be fulfilled by disclosing already existing documents containing the data processed by the defendant. In addition to the above, the Fővárosi Ítélőtábla shared the position of the court of first instance insofar that it is indeed the responsibility of the petitioner to prove that the requested data exist and they are processed by the defendant, however, the person requesting the data is usually not capable of proving this beyond reasonable doubt, given that he is obviously not in possession of the information and has no overview of the internal administrative practice or document management by the controller, otherwise he would not make the data request. Therefore, the courts consider the existence of a convincing probability of the existence of data of public interest to be sufficient to order the disclosure of data for the purpose of Section 1 of the Privacy Act.

Pf.20.390/2021/4.: The Fővárosi Ítélőtábla shared the position of the court of first instance that the restriction of access to data of public interest can only be imposed for reasons indicated in the Privacy Act, taking into account the specific data and the reason for the restriction, while a general formal reference to the reason for restricting public access is unfounded.

Pf.20.009/2021/4.: The Fővárosi Ítélőtábla upheld the judgment of the court of first instance, which stated that reference to trade secrets without any specificity is unacceptable. According to the facts of the case, the petitioner requested the disclosure of contracts by way of request for data of public interest, which the defendant concluded with two external companies with the subject matter “Transfer for further processing of fresh frozen plasma not needed for the purpose of transfusion”. The defendant did not dispute that it was an organ discharging public tasks and acknowledged that the requested data were data of public interest with respect to which it was the controller; at the same time, it failed to substantiate what the proprietary information or business strategy was in the contracts and their annexes requested to be disclosed (indicating the precise section of the contract and the provision), whose disclosure would violate or jeopardise its market interests, it only referred to “unusual contractual conditions more stringent than general”. According to judicial practice, where reference is made to a reason as ground for refusal to disclose data, such as trade secrets or data for decision support, the person making such a reference must allow the court to examine the merits of such a reason.

Pf.20.188/2021/9.: The fact in itself that the data of public interest requested to be disclosed is also used in a criminal procedure does not render the refusal to disclose the data lawful. The statement of the investigating authority may prove that the requested data are of such significance in the criminal procedure that it justifies a

restriction on the disclosure of the data.

2.Pf.20.641/2021/4/II.: The court ordered the controller to provide detailed epidemiological statistical data in the format of an Excel table for the given day (e.g. altogether, how many confirmed SARS-CoV-2 cases were there in Hungary, what was the change relative to the preceding day; from how many districts were new cases reported over the preceding 7 days; number of symptom-free infected persons; number of patients with mild symptoms; number of patients with severe symptoms; number of patient on ventilators; number of patients in intensive care; total number of hospital beds reserved for the treatment of the Covid-19 disease; of this, intensive beds; number of free reserved beds and reserved beds in use; of these intensive, etc.). The defendant did not dispute that it was an organ discharging public tasks, nor that the data requested to be disclosed by the petitioner were data of public interest and that they were processed by it in an “bulk format”, at the same time, there were no grounds for its reference that meeting the petitioner’s data request would have placed an expressly major workload on its employees, in view of the fact that this is not a reason for refusal under the provisions of the Privacy Act. In the case under litigation, the data to be disclosed should be compiled using simple mathematical operations or systematic grouping out of the existing set of data, which does not mean the generation of qualitatively new data. The fact that this takes longer does not mean that the systematised data would be qualitatively new or different data. There are no public sources on the internet, where the data requested to be disclosed by the petitioner could be accessible in a daily breakdown. The fact that the petitioner could have requested some of the data of public interest even from the county government offices, also does not provide a basis to refuse the disclosure of the data, in view of the fact that these data were available to the defendant as an organ discharging public tasks.

5. Public access to data on the corona-virus pandemic

The Authority regularly updates its information to respond to any changes in legislation on requests for data of public interest in the light of the emergency.^{^[1]} At present, the rules of Government Decree 521/2020 (XI.25.) continue to apply to certain requests for data of public interest [the Constitutional Court examined this legislation in its Decision 15/2021 (13.V.) AB, already presented).

Important information:

A request for access to data of public interest may not be made orally, and it can be fulfilled in a form that does not involve the personal appearance of the data subject.
If it is likely that fulfilling the request within 15 days would jeopardise the performance of the public tasks of the public body performing the public task in relation to the emergency, the deadline for fulfilling the request may be extended by 45 days, and the applicant must be informed of this within 15 days of receipt of the request.
The 45-day time limit may be extended once for a further 45 days if meeting the request within 45 days would still jeopardise the performance of the public tasks of the public body performing the public task in relation to the emergency. The applicant must be informed of this before the first 45 days expire.
In the case of the assessment and payment of a fee, the request for data must be fulfilled within 45 days if it is likely that the fulfilment of the request within 15 days would jeopardise the performance of the public tasks of the body in relation to the emergency. In this case, the information shall be provided within 45 days on the following:
− the fulfilment of the data request would involve a disproportionate use of human resources necessary for the performance of the basic activities of the public sector body, or
− the document or part of a document for which a copy is requested is voluminous, and
− the extent of reimbursement and the possibility of providing the service without the need for copies.

In the cases mentioned, the deadline for filing a judicial remedy under Section 31(1) of the Privacy Act is also amended (45+45 days).
The provisions described above had to be applied also to requests for access to data of public interest already pending at the time of the entry into force of the Decree.

In all cases of complaints where the 45-day time limit was invoked, the Authority called on the public body to justify its reasons, and on several occasions the Authority did not consider the invocation to be justified because the body concerned did not have a direct epidemiological mission justifying the extension.

Since the spring of 2020, the Authority dealt with issues related to the pandemic in over 200 cases in the form of investigation, consultation, data request or its procedure. As evidenced by the complaint cases related to the freedom of information, most of the time those requesting data wish to access data concerning the number of infected, vaccinated, recovered and deceased persons, those in quarantine, those requiring hospital care, intensive therapy or ventilation, the number of those no longer ventilated and their distribution in many cases in a breakdown by having been vaccinated or not, and in a breakdown by vaccine type and the number of vaccinations.

NAIH also issued a communiqué concerning public access to the corona-virus infection data of settlements, which underlined that there was a substantial public interest in accessing the infection data of any settlement, the number of these figures was necessary for both mayors and residents in order to be able to make informed decisions concerning their defence against the epidemic. Mayors are important actors in the defence against the epidemic, hence it is the obligation of the competent government office to provide them with the relevant statistical data.

It is our frequent experience that those requesting data would have liked to learn from NAIH concrete information about the epidemic and its management and changes. In these cases, the Authority informed the persons requesting the data which organ discharging public tasks they can turn to (such as the National Public Health Centre, the National Hospital General Directorate or the various ministries).

In many cases, complainants objected to the fact that they did not receive a medical explanation to the professional health-related issues bothering them. Since the conceptual element of data of public interest is the fact that it is recorded and that the organ in question must handle such data, in these cases the organs discharging public tasks lawfully rejected the data requests, because they are not obliged to provide professional justification for their decisions or to express their professional opinion in the context of a data request of public interest.

A great deal of interest was expressed also with respect to the vaccine contracts. According to the statement of the Ministry of Foreign Affairs and Trade, the contract in question was concluded by the National Public Health Centre, the contract itself was not in their possession, at the same time, they saw no reason for restricting public access to the contract. Finally, the minister in charge of the Prime Minister’s Office published the purchase and sale contracts concerning the vaccines stemming from Eastern sources (on its Facebook page^{^[2]}). (NAIH-2963/2021)

It should be noted that the issue of public access to the contracts concerning the procurement of vaccines by the EU was also a subject of criticism in 2021. The European Commission headed the negotiations on the procurement of the vaccines based on the negotiating principles approved by the Member States, which finally published a number of contracts with the agreement of the companies concerned, although the companies insisted on blocking out certain confidential business data.^{^[3]}

Another notifier wished to learn from the Ministry of Human Resources (hereinafter: EMMI), inter alia, who represented the Hungarian Government in the steering committee supervising vaccine procurements and whether the representative of the Hungarian Government raised any objection to the content or any part of the EU framework contract in the course of the procedure. The Authority called upon EMMI to disclose the requested data, because the name of a person discharging public tasks cannot qualify as data on which a decision is based. The data concerning the adoption of the preliminary framework contract is considered data of public interest, the requested contracts need to be disclosed, while information qualifying as trade secret, whose violation would constitute a disproportionate injury to the business activities of the contracting party, is to be blocked out. The ministry has not fulfilled the data request ever since and the Authority issued a report on the case^{^[4]}.

There were objectionable examples also of disclosing health-related special category personal data in the social media. A mayor disclosed the full name of the notifier and the positive result of his Covid-19 test in the parents’ closed Facebook group of a kindergarten. The Authority called upon the mayor to erase all the personal data in the Facebook group on the basis of which the data subject concerned in the comments shared in the group could be identified either directly or indirectly. (NAIH-3418/2021).

A person requested the issue of a copy of the certificate on the vaccine administered to the President of the Republic showing the name, but “blocking any other personal data”. In the data request, he expressly underlined that the President of the Republic was a public actor, who had earlier “disclosed by way of the MTI (Hungarian News Agency) that he was vaccinated with the Chinese vaccine”. The “other personal data related to the discharge of public duties” mentioned in the Privacy Act can only refer to the set of data closely related to the discharge of the constitutional tasks of the President of the Republic and this definitely does not include the content of the vaccination certificate. Unless the data subject voluntarily and freely decides otherwise, access to his vaccination certificate may be lawfully rejected in the context of a request for data of public interest. (NAIH-3356/2021)

[1] https://naih.hu/dontesek -informacioszabadsag -tajekoztatok -kozlemenyek?download=473:tajekoztato -a -kozerdeku adatigenylesek -teljesitesere -iranyado -rendelkezesek -jarvanyugyi -veszelyhelyzet -miatti -valtozasarol -2021 -12 -20 -tol

[2] https://www.facebook.com/permalink.php?story_fbid=2853863864870374&id=1443632629226845

[3] https://ec.europa.eu/info/live -work -travel -eu/coronavirus -response/public -health/eu -vaccines -strategy_en#transparency -and authorisation -mechanism -for -exports -of -vaccines

[4] https://naih.hu/files/Infoszab_jelentes_NAIH -694 -1 -2022.pdf

6. Administrative Procedures Act vs. Privacy Act

The 2018 annual report^{^[1]} already disclosed the problem of law interpretation, whose main question is whether the restriction stipulated in Section 27(2)(g) of the Privacy Act (“the right to access data of public interest or data accessible on public interest grounds may be restricted by an Act, if considered necessary for the purposes of court proceedings or administrative authority procedures”) can be applied to the accessibility and publicity of the documentation of administrative authority procedures, i.e. whether Act CL of 2016 on General Administrative Procedures (hereinafter: Administrative Procedures Act) and CLXXXV of 2010 on Media Services and Mass Communications (hereinafter: Communications Act) govern as lex specialis.

According to NAIH’s position, this restriction does not apply to administrative authority proceedings that have already been concluded, all the more so as both the Administrative Procedures Act and the Communications Act require restrictions only in the case of personal and classified data, and no legal regulation has provided for the anonymisation of data of public interest or data accessible on public interest grounds.

In 2021, the civil lawsuits finally came to a final and binding end, which, inter alia, provided an answer – in line with the NAIH's position – to the question of the procedure and legal provisions under which third parties other than the clients may access the official documents of the authority generated in the proceedings related to the authorisation to provide media services. In a litigation launched to request disclosure of data of public interest, Fővárosi Törvényszék taking action in the first instance ordered the controller in its judgment 28.P.20.997/2019/8. to issue the full text of the requested media authority decisions to the petitioner within 15 days, but the remaining part of the petition was rejected. As a result of the examination of Section 33 of the Administrative Procedures Act and the Privacy Act, the court arrived at the conclusion that Section 33 of the Administrative Procedures Act narrows down the set of accessible data relative to the provisions of the Privacy Act and documents generated in official proceedings may be inspected only by the person entitled to do so, the client, in the context of the right of access to documents, but according to Section 33(5) of the Administrative Procedures Act, the decision is accessible to anyone without restriction. It drew the conclusion from this that, in the case of a request for a decision, there is no need for identification , the identity of the person requesting the data is irrelevant, hence the defendant cannot deny access to the decision even on the basis of the provisions of the Administrative Procedures Act it referred to. The Fővárosi Ítélőtábla taking action in the second instance in the litigation partially reversed the judgment of the court of first instance in its judgment 32.Pf.21.108/2018/8 and also ordered the controller to issue the submissions supporting the decisions related to the aforementioned decisions, since the request for issuing data of public interest in that litigation is to be adjudged exclusively in accordance with the provisions of the Privacy Act. In its judgment Pfv.IV.20.656/2020/4 adopted in a review procedure, the Curia annulled the final judgment – on procedural grounds – with regard to issuing the submissions, but otherwise upheld the judgment of the court of first instance.

[1] pp. 118-119

7. On requests for data of public interest submitted to the NAIH

In 2021, the Authority received 58 submissions containing requests for data of public interest from 44 petitioners, which altogether contained 139 requests for data (in 2020, the 72 requests from 43 petitioners contained altogether 187 data requests). Similarly to the trend observed since 2015, it occurs that certain individuals pose several questions in their submissions.

According to our statistics, the data requests were concluded with the following results:

100 requests granted,
9 requests partially granted,
28 requests rejected,
2 requests not fulfilled for reasons attributable to the petitioner.

The most frequent reasons for rejections were the following:

the data intended to be accessed were not data of public interest or data accessible on the grounds of public interest,
the requested data were not available to the Authority, - the requested data supported the option of a decision.

The most frequent subject matters of the data requests included requests for data concerning the Authority’s activities in the context of the corona-virus pandemic (number and content of the relevant statements, investigations, etc.). Similarly to the past year, requests for data related to data protection procedures, data breach notifications and fines imposed were also typical. In addition, the petitioners submitted numerous questions to obtain information on the Authority’s internal rules, practice of imposing fines and the application of the GDPR.

8. Reimbursement of costs

A proper implementation of the freedom of information requires transparency of the procedures for determining the reimbursement of costs (in addition, let us add that in rule of law investigations against Hungary, criticism if often made for the cost reimbursement charged for fulfilling requests for data of public interest). According to the statistics for this year, the Authority dealt with 27 such cases which – in addition to complaints – included consultation questions as well as cases left over from 2020 (altogether 6 cases). The controllers under investigation included municipalities, government offices, mayor’s offices, various welfare institutions, ministries, police departments and foundations.

The number of relevant cases continues to be relatively low (2018: 39, 2019: 32, 2020: 23, 2021: 27) and as a result of NAIH’s intervention, the organs discharging public tasks concerned issued the requested data in most cases free of charge, at the same time, because of certain high amounts, the positive trend of the previous years came to a halt. In 2021, the amount of the highest cost reimbursement was HUF 500,000 (in this case, it would have been necessary to manually examine over 11,000 files kept by a welfare institution of a municipality according to specific criteria), however, cost reimbursement set in amounts below HUF 100,000 were more typical.

There were two occasions when NAIH accepted substantial reduction in costs, in view of all circumstances of the case. In one case, the data were available partly electronically and partly in hard copy, so the data in the electronic system (file number, report) had to be reconciled with the hard copy documents in order to obtain the correct data. In view of this, we regarded the calculation reduced from 317,209 forints to 158,000 forints as acceptable. (NAIH2651/2021)

A case that had begun in 2020 was successfully closed when following NAIH’s call, the government office issued the data requested free of charge. The petitioner requested data on the guardianship authorities belonging to the territorial government office and was then informed that the time required to complete the data request was 22 hours and the labour cost/working hour was 2,202 forints, i.e. a total of 48,444 forints. Then, the petitioner requested the government office to provide details of the content of the cost reimbursement which, however, was never met. According to NAIH’s position, they calculated amount for fulfilling the data request can be regarded as excessive and it is unrealistic that the government office does not store the documents electronically. (NAIH-734/2021)

A municipal executive asked for NAIH’s position concerning a case when data requests are received from a petitioner daily on the same subject matter, could they be aggregated in terms of the number of working hours with regard to the cost reimbursement. According to NAIH’s interpretation of the law, if the person of the petitioner and the subject matter of the data request are identical or there are only minimal differences in the subject matter in the case of data requests submitted within 15 days, a legitimate interest can be foreseen, on the basis of which the controller aggregates the data requests in order to improve their administrative efficiency. NAIH emphasized that in the absence of the coexistence of these conditions it is not possible to aggregate the data requests under the legal regulations currently in force. (NAIH-2450/2021)

Partly related to the case presented above is the unlawful practice of a rural municipality which automatically attached cost reimbursement to fulfilling data requests. It is highly important to call attention to the fact that this practice is contrary to the spirit and the regulation of the fundamental right. Reacting to the practical problems of the application of cost reimbursement, NAIH published detailed guidance on its website^{^[1]}, which could assist organs discharging public duties in considering whether to charge cost reimbursement. The guidance discusses the calculation of due dates, the identification of the main cost elements and the applicability as well as the obligation to provide information and to anonymize. In addition, the obligation to cooperate is highly important on the part of both the petitioner and the organ discharging public tasks. Appropriate communication from both directions makes it simpler and easier to fulfil data requests and an accurate description of the subject matter of the request could greatly reduce the costs that may be incurred.

Additional cases concerning cost reimbursement will be presented in the subsection on The transparency of environmental information.

[1] https://naih.hu/dontesek -informacioszabadsag -tajekoztatok -kozlemenyek?download=392:tajekoztato -a -kozerdeku adatigenyles -koltsegteriteserol

9. The transparency of municipalities

According to the Authority’s case law, the organs of the body of representatives constitute a unit from the viewpoint of ensuring freedom of information, which means that when a request is submitted for data of public interest, the municipal executive cannot rely on the fact that request for data affecting the municipality was not submitted to him by the petitioner. The petitioner must not suffer a disadvantage and his request must not be rejected with reference to the absence of data, because his request was addressed to the appropriate organ of the body of representatives. If there are internal rules on fulfilling a data request, incoming data requests must be forwarded right away to the

person obliged and authorised to evaluate and fulfil it, i.e. the appointment of an expert dealing with the rights to information in charge of freedom of information cases can provide a solution for such a situation.

The basis of an investigation on the valuation of municipal assets as a basis for decision was that the meeting of representatives of the municipality had a valuation made with a view to potentially purchasing a real estate, but the preparatory work did not reach the stage of drafting the decision in terms of the purchase and sale of the real-estate in question. The real-estates were sold, but the meeting of representatives did not make a decision on the purchase of the property and did not submit an offer to buy. According to the Authority’s position, a restriction, which prevents the public to access data in the case of a legal transaction, which has already been closed citing that the data may be used at an unspecified date cannot be regarded as being in line with the Fundamental Law in view of the enforcement of the right to access and disseminate data of public interest. (NAIH-5801/2021)

Linked to the meeting of the municipality’ property management committee, a municipal representative requested access to general construction contracts, review protocols, valuer’s opinions within the framework of requesting data of public interest. The investigation pointed out the “bad” practice pursued by municipal bodies, according to which a so-called general vote is held on discussing the points of the agenda in open or private meetings, regardless of their content. In its notice on the issue of business data and trade secrets, the Authority underlined that the data relating to decision-making on municipal assets are data accessible on public interest grounds, and they can only be classified as trade secrets within a narrow range of exceptional cases. (NAIH-1170/2021)

Last year, the Authority received several notifications concerning the infringement of the right to the protection of personal data without any intent to cause harm. In one case, an employee of the office of the municipality published an a local closure order for the bees of a local beekeeper on his private social networking site in a manner that made the personal data of the beekeeper accessible causing him damage. As a result of the investigation, the municipality created an official social media page which is edited and the content published there is monitored by the head of the local office, who has also required the civil servants of the office to participate in a data protection training course. (NAIH-7586/2021)

Section 29/A(3) of Government Decree 314/2012. (XI. 8.) on the conception of urban development, integrated urban development strategy and the instruments of settlement planning and certain specific legal institutions of settlement planning requires that preliminary proposals under partnership reconciliation must be published on the website of the municipality; this, however, does not mean the publication of the records of partnership proposals. The names and addresses of those stating their opinion on the preliminary proposals are personal data, their publication on the municipality’s website qualifies as processing personal data.

Section 37(5) of the Privacy Act requires organs discharging public tasks to invite the opinion of the Authority, if an organ acting as a body corporate, entitled to disclosure (typically these include the bodies of representatives of local governments) seeks proactively to ensure wide-ranging access to data of public interest or data accessible on public interest grounds processed by them. Municipalities have defined the data to be disclosed in specific publication lists as data to be published for the registration of the statements of assets made by members of the municipal bodies (body of representatives and their committees), contracts of less than 5 million forints and tenders of less than 5 million forints. The accessibility of the data in the statement of assets of municipal representatives – in particular, the data concerning the occupation, place of work and monthly taxable income of the representative from his employment – arises as a recurrent question of consultation year after year. In this respect, the Authority has consistently represented the position that the data in the part on the statement of income are data to be provided mandatorily, hence these data may not be blocked when the statement of assets is accessed by a third person.

We also wish to call the attention of the municipalities to the fact that the purpose of the service provided through the e-mail address @mail.lgov.hu is to enable the Government to communicate with municipal executives and mayors through a uniform separate channel, thus this address cannot be indicated as a form of maintaining contact with citizens. (NAIH-2650/2021)

9.1 Personal data accessible on grounds of public interest in connection with the performance of public tasks

Last year, the Authority conducted several investigations into cases, in which the subject matter of the request for data of public interest was access to the job description of a manager in the employment of an institution of a municipality or public body. As the legal regulation governing employment does not contain specific provisions, therefore the controller discharging public tasks decides on these at its own discretion on the basis of Section 26(2) of the Privacy Act. According to the general definition, the job description covers the work processes and activities, tasks, functions and network of contacts of the employee, including the objectives, primary areas of responsibility, as well as the conditions under which the employee performs his work. The job description is indeed the detailed specification of the job. The employer lists in this document the tasks to be carried out and the tasks for which the employee is responsible. These include the powers and responsibilities, which may be exercised by the employee and which relate exclusively to the public task discharged by him, thus, in Authority’s view, these are data accessible on public interest grounds. (NAIH-1147/2021)

In another case concerned in an investigation, the subject matter of the data request was the job description and remuneration of the secretary of an organ discharging public tasks, operating in the form of a public body. According to the Authority’s position, even though the secretary’s employment relationship is based on the Labour Code and his remuneration is not paid from public funds, but from other revenues of the public body, his primary task as a senior officer is to ensure the performance of the public tasks of the public body set forth in law at the highest possible standard, hence the data concerning his remuneration qualifies as other personal data related to the discharge of his public task, which is accessible to anyone through a request for data of public interest. (NAIH3655/2021)

According to the position of the Authority, pursuant to Section 179 of Act CXCIX of 2011 on Public Service Officers (Public Service Officers Act), in addition to the data accessible on public interest grounds listed therein, the set of data on pay should be interpreted broadly, in view of the requirement of equal treatment set forth in Section 13 of the same Act, as it includes other dues and benefits received in connection with the public service relationship or in relation to it. Taking these into account, the jubilee award is a benefit linked to the public service relationship, which is financed out of public funds not with regard to events and life situations listed in Section 152(1) of the Public Service Officers Act associated with privacy. (NAIH-4045/2021, NAIH-5224/2021)

A petitioner requested access to documents generated in relation to the appointment, remuneration and bonus payments of a municipal executive retroactively for 13 years. In terms of disclosing the data retroactively to 2008 – with reference to the decision of the Supreme Court BH.2007/1/14. – in accordance with the Authority’s interpretation of the law, the Privacy Act does not have retroactive effect. In addition, it is warranted to reasonably delineate the period concerning the municipal executive’s remuneration (such as, for instance, the period of a given municipal cycle). On account of this case, the Authority drew attention of the evolution of a trend contrary to the original goal of the legislator with regard to the enforcement of the freedom of information, because the request to access the data concerning pay and other benefits of a single person retroactively for 13 years, raises the possibility of creating an itemised list of the personal data of the person concerned in bulk, accessible on public interest grounds, and creating a new quality of data, a database. (NAIH-3344/2021)

Based on the argumentation, presented in Constitutional Court Decision 3145/2018. (V. 7.) AB, the name and the employment contract of the mayor’s consultant, chief of cabinet, chief of protocol (while blocking protected personal data) are data accessible on public interest grounds. The persons, whose work is related to the responsibilities and powers of the municipality as an organ discharging public tasks, and hence their activity is capable of influencing managerial decisions, particularly those of the mayor and they have influence over changes in local public life, are identifiable by way of requesting data of public interest. According to the Authority’s statement issued when contacted for consultation, the mayor’s office is not authorised to have access to the data and documents of payments made to the employees of a business organisation owned by the municipality processed by that business organisation in a manner enabling the individual identification of the data subjects. As a business organisation manages its assets and the human resources it employs independently within the limits of the legal regulations and its deed of foundation, it qualifies as an independent controller with regard to the data processed by it, hence a relationship of controller and processor between the two organs is not applicable. In addition, legal regulations governing financial management also do not provide an appropriate legal basis for the lawful forwarding of personalised data. (NAIH-3136/2021)

9.2 Transparency of the operation of national minority self-governments

Last year, several notifications were received, so the Authority – jointly with the deputy commissioner in charge of the protection of the rights of ethnic minorities in Hungary – launched an investigation with a view to assessing the transparency of the operation of national minority self-governments and their improvement, if needed, the results of which are expected in 2022.

According to information provided by the secretary of state of the Prime Minister’s Office in charge of regional public administration, there were no extraordinarily severe violations of the law in the period from the elections in the autumn of 2014 to 20 July 2021. In terms of the freedom of information, A common problem with meetings of the body [of representatives] is the misunderstanding of the issue of closed meetings.

The mandatory disclosure according to the Privacy Act is a highly important instrument of transparency. In relation to this, the information included that all the national ethnic minority self-governments have their own websites; this, however, does not hold for the ethnic minority self-governments at regional and local level. Characteristically, ethnic minority self-governments publish their data of public interest and data accessible on public interest grounds on the websites maintained by local governments or national self-governments; the range of these data is typically minimal, covering mostly the basic data of the representatives and of the self-government only; in some cases, additional data, such as protocols, rules of organisation and operation are also accessible, but these data are rarely updated.

(NAIH-3383/2021)

9.3 Disclosure of personal data during online public hearings

Many municipalities provided a possibility for citizens and the local community to participate in local affairs and the development of decisions even during the emergency and they held online public hearings using the live streaming function of social media.

Similarly to public hearings in person, in the course of the preparation of the online public hearing, interested persons could submit their questions and proposals to the mayor’s office in writing, requesting a serial number. The complainant acted as described, but had not reckoned with the fact that in the course of the online public hearing, when his submission was read and discussed, his name and address was continuously displayed on the screen. He requested the erasure of these data from the video recording, as well as the protocol, but the municipality rejected his request on the grounds that the public hearing is a public meeting of the body of representatives, constituents – present there upon prior registration – state their names and their personal observations on local public affairs and they also indicate the area where they come from and eventually they provide their address. The lawfulness of the processing of personal data in the course of a public hearing is provided by GDPR Article 6(1)(e). A protocol is drawn up on the meeting, which is accessible to the public. According to the Authority’s position, the fact that some personal data are mentioned at a public meeting of the body of representatives does not result in the personal data becoming accessible on grounds of public interest merely because of this fact.

Earlier in his statement issued under ABI-1332/A/2006-5, the Data Protection Commissioner explained that even their (formally) given consent does not provide a basis for the recording and disclosure of the personal data of data subjects interested in and present at the meeting of the body of representatives, as the processing of data does not comply with the principle of purpose limitation.

At the same time, a contributor concerned, if given the floor, has the right to decide whether they wish to speak anonymously or otherwise, and he needs to be informed in advance that his contribution will be recorded in the protocol. If the response to his contribution is sent in writing, it is not expedient to record and to store the name and address of the data subject in the protocol accessible to the public. According to the position of the Authority, the accessibility of the public hearing is assessed the same way as a public meeting of the body of representatives. Taking this into account and fully ensuring the protection of privacy, private secrets and personality rights, there is no obstacle to the live streaming of this special form of the meeting of the body of representatives whether through the official website of the municipality or on a social media page. The Authority shared the opinion of the municipality according to which there is no fundamental difference between the processing of data related to traditional public hearings with presence in person and online public hearings. However, the Authority underlined: a citizen participating in a public hearing in person can give his consent or object to displaying and disclosing his personal data in the protocol in person, while participants in the online space cannot enforce their right to informational selfdetermination or can do so only with difficulty. With regard to the processing of data related to an online public hearing, it is the express opinion of the Authority that the controller must act more carefully with regard to the enforcement of the right to informational self-determination, because citizens are in a much more exposed position in the online space than in the case of a traditional public hearing in terms of the processing of their personal data; it follows that information by the controller concerning the processing of the data and guaranteeing data subject rights are more important and have greater significance. (NAIH-4447/2021)

9.4 Electronic disclosure

In 2021, about 30% of the notifications sent to the Authority in cases related to the freedom of information concerned inadequate electronic disclosure by organs discharging public duties; most of the time, the websites of local governments and the websites of business organisations in municipal ownership were involved: the vast majority of the notifications concerned problematic disclosure of data related to the activities, operation and financial management of the organ (documents of the body of representatives, municipal decrees, contracts, public procurements, applications, etc.). In the course of its investigation, the Authority contacts the organ concerned in every case and whenever necessary calls upon it to immediately remedy the established infringement of the law, which is generally complied with sooner or later. It should, however, be mentioned that in view of the emergency caused by the virus, the bodies of representatives had no meetings for months in most settlements in 2021. In such cases, the municipalities notified the Authority that no meetings of the body of representatives took place in the period indicated, instead decisions by the mayor brought during the period of the emergency^{^[1]} are accessible on the websites.

[1] Pursuant to Article 46(4) of Act CXXVIII of 2011 on Disaster Management and the Amendment of Certain Related Acts, "in an emergency, the duties and powers of the body of representatives of the municipal government, the metropolitan and county assemblies shall be exercised by the mayor, the Lord Mayor or the President of the county assembly. In this context, he may not take a position on the reorganisation, closure, scope of supply or services of a local government institution if the service also affects the municipality.”

10. Access to documents seized in criminal proceedings

A complainant objected to the fact that the National Tax and Customs Administration (hereinafter: NAV) did not fulfil his request for data of public interest when he wished to access documents seized in relation to the financial management of a municipality. When contacted by the Authority, NAV presented that with regard to the documents and data requested by the petitioner, the controller is the municipality, while NAV is the authority conducting the investigation in the case, and holds the documents as documents seized as evidence in accordance with the rules of Act CX of 2017 on Criminal Procedures (hereinafter: Criminal Procedures Act). Pursuant to Section 110(1) of the Criminal Procedures Act, information can be provided to whoever has a legal interest in the conduct of the procedure or its outcome; according to their position, the request for data of public interest by the petitioner cannot be regarded as a legal interest. Pursuant to Section 110(2) of the Criminal Procedures Act, permission to access the documents of the case or disclose of the requested information is authorised by the head of the public prosecutor's office before indictment and by the chair of the court acting in the case thereafter, once legal interest is verified. In view of this, even if the petitioner verified his legal interest, NAV would not be authorised to issue the documents, of which only the head of the public prosecutor's office could decide. NAV also explained that based on Section 313(3) of the Criminal Procedures Act, the municipality subject to the seizure is entitled to access the documents seized in the course of the criminal procedure in part or in full and to produce copies thereof to the extent and for the time necessary for the discharge of its tasks. In view of this, there is an opportunity for the municipality to request the investigative authority to access documents and to prepare copies, if it does not hold the hard copies or electronic copies of the documents constituting the subject matter of the procedure for the purpose of meetings its obligation to issue data of public interest. This means that the controller municipality is authorised to issue the data of public interest or data accessible on public interest grounds included in the documents, but the municipality has to contact the investigative authority to see whether the issue of the requested data violates the public interest in successfully completing the criminal procedure. In the given case, the investigative authority stated that with respect to a certain part of the data, the interests of the investigation in progress would be substantially jeopardised based on the Privacy Act and Section 109(1)(e) of the Criminal Procedures Act, if the public was informed earlier of the relevant data than the persons affected in the criminal procedure. With regard to another part of the data (the contracts concluded by the municipality), the public interest in successfully completing the criminal procedure would not be violated by access to the data of public interest.

According to the governing court case law (Pfv. IV. 20.455/2015/4., 2.Pf.20.559/2011), the mere fact in relation to the data of public interest processed in the course of a criminal procedure that the investigation report requested to be issued containing data of public interest undisputedly processed by the organ discharging public duties was requested by the investigative authority and thus it became part of the criminal file may not automatically mean a restriction of access and the rejection of the request for data of public interest. The documents requested to be issued through the request for data of public interest were obviously not generated in the criminal procedure, instead they were the basis for lodging a report. The quality of independent data processed by the controller should not be influenced by the fact that they were used in a procedure. At the same time, they do not have the uniqueness, that would preclude disposal over these data because of their use in criminal proceedings.. The controller may not refer to the interests of a procedure conducted by a third person in relation to documents containing information in the public interest, because there is no legal regulation that would prohibit the issue of documents used in the given procedure but not generated in the same procedure by the original controller in response to a request for data of public interest. Therefore, the mere fact that simply because the data of public interest requested to be issued was seized and used in a criminal procedure does not mean that the data would lose its character of being in the public interest, hence it is not possible to restrict access to them and to reject their request for data by automatic reference to this,.

As according to NAV’s statement, public interest in the successful completion of the criminal procedure would not be violated by public access to the contract requested by way of the request for data of public interest, these data can be accessed by the public and the municipality may request the investigative authority to make copies of the seized documents, the Authority called upon the municipality concerned to make the requested data available to the petitioner, unless there are other factors lawfully restricting public access. Having asked for copies of the documents requested in the request for data of public interest, the municipality sent the documents to the petitioner.

(NAIH-4003/2021)

11. Public disclosure of environmental information

In the case of data on the environment, the protection of trade secrets is a highly frequent reference for restricting access. An association for the protection of the environment requested the documents Noise map and Action plan to reduce noise of the local gigantic plant from the county government office. Fulfilling the data request was rejected with reference to the protection of trade secrets (the cover sheet of the Noise map says that “The documentation contains information qualifying as trade secrets” and the header of each page included that “For use by the authorities only”), at the same time, nobody disputed that the Noise map contained data of public interest or data accessible on public interest grounds. According to the principle set forth in Section 30(1) of the Privacy Act and the consistent practice of the Authority and the courts, declaring entire documents automatically as trade secrets is unacceptable, instead the document must be examined and it must be established exactly which data count as trade secrets. Based on Article 4(4) of the Aarhus Convention promulgated with Section 2 of Act LXXXI of 2001 on the Promulgation of the Aarhus Convention, a request for environmental information may be refused, if the disclosure would adversely affect the confidentiality of commercial and industrial information where such confidentiality is protected by law in the light of a legitimate economic interest, in this context, however, information on emissions, which is relevant for the protection of the environment, must be disclosed, or the interests of a third party, which has supplied requested information without being under a duty or legal obligation to so , or giving consent to the release of the material.

However, these reasons are to be interpreted stricto sensu, taking into account the public interest in accessibility, as well as to what extent the information requested relates to emissions to the environment. The government office has therefore to consider the collision between the protection of the interest of the public and the protection of private interest. Section 30(5) of the Privacy Act states that the grounds for refusal must be interpreted restrictively and the request for access to data of public interest shall only be refused, if the underlying public interest outweighs the public interest of allowing access to the data of public interest (overriding public interest test). Therefore, the government office violated the right of the notifier to access data of public interest and data accessible on public interest grounds, when it failed to fulfil the request for the action plan and furthermore when it automatically qualified the entire Noise map as a trade secret without its detailed examination, hence it could not possibly have carried out the assessment of data qualifying as trade secrets as required in Section 30(5) of the Privacy Act; for these reasons the Authority called upon it to immediately send the Action plan to the notifier and establish exactly which data of the Noise map qualify as trade secrets, if necessary, invite the statement of the company concerned and carry out the assessment as required in Section 30(5) of the Privacy Act, and comply with the request for data for which, as a result of the foregoing assessment, it concludes that disclosure cannot be restricted. The government office complied with the Authority’s call and issued the Action plan to the notifier together with the public version of the Noise map, which is almost identical with the original version. (NAIH-4011/2021)

The Authority took successful action in two cases where environmental NGOs objected to the cost reimbursement charged for fulfilling their data requests. In the first case, the fact that the NGO requesting the data asked for environmental information from the competent government office paid an important role. The Authority found the cost reimbursement of 185,321 forints unjustified for several reasons. By far the greater part of the requested documents contained information concerning emissions to the environment, access to which according to Section 12(5) of Act LIII of 1995 on the General Rules of the Protection of the Environment cannot be refused on the grounds of being trade secrets. Furthermore, the 47 working hours calculated for filtering out inaccessible data in the documents requested by the petitioner was unjustified because the requested documents in actual fact contained very few pages where personal data could occur (they included largely tables, measurement data and protocols and the examination of such pages could not possibly take about 4 minutes per page). Finally, even in the case of expending 47 working hours as alleged, the disproportionate use of labour necessary for the discharge of the basic activities of the government office would not take place in view of the huge headcount of the government office. In its call, the Authority explained that if responding to data requests to be fulfilled causes disproportionate difficulties for an organisational unit while carrying out its basic activities, then first – if possible, particularly in the case of larger organisations – a solution to discharging both the basic activities and the free fulfilment of data requests has to be resolved through reorganisation within the organ. (NAIH-5797/2021)

In the case just presented, as well as in another case launched on the basis of the notification of another environmental NGO, unlawfully charging cost reimbursement was due, inter alia, to the wrong interpretation of the law according to which “if fulfilling a request for data of public interest exceeds 4 working hours that can be regarded as disproportionate”. In its investigations, the Authority consistently underlines that the time taken to carry out a task qualifies as disproportionate not because it exceeds 4 hours, it is also necessary to make use of labour needed to discharging the basic activities to fulfil the data request and that should take place to a disproportionate extent. The use of labour is disproportionate, if it renders the discharge of the basic activities of the organ discharging public tasks substantially more difficult or impossible. (NAIH-4508/2021)

12. Publicity of applications

n 2021, there was a large number of complaints related to the transparency of investments and grants for the purposes of tourism. In the Authority’s experience, the grounds for restricting access to applications was the recurrent reference to trade secrets or support for a decision.

12.1 Trade secret

the full application documents of the projects on its funding commitment list that have been awarded over HUF 1 billion and the winning projects on the decision list for the development of existing hotels with high capacity and the establishment of new hotels A journalist requested from Kisfaludy2030 Turisztikai Fejlesztő Nonprofit Zrt. the entire application documentation of the winning applications on the decision list of projects winning grants in access of 1 billion forints and the development of high-capacity existing hotels and the establishment of new hotels. The company did not issue the data declaring them to be trade secrets. The company did not issue the list of the non-winning applications, not included in the decision list of Kisfaludy accommodation development construction – Development of high-capacity existing hotels and the establishment of new hotels (name of applicant, the identification of the project and the requested amount) to the notifier because in its view, no commitment according to Annex 1. Section III.4. of the Privacy Act took place.

According to the consistent practice of the Authority and of the courts, the requested documents of the application must be examined one by one and established exactly which are data qualifying as trade secret, whose disclosure would give rise to disproportionate violation of interest. There is a substantial public interest in the transparency of hotel development and hotel establishment applications and the application procedures involving substantial public funds are of great interest to the public, hence the public has a legitimate demand to have access to at least the basics on what taxpayers’ money is spent, and whether the submitted applications meet the expectations published in the invitation to apply. The data requested on non-winning applications are also either data of public interest or data accessible on the grounds of public interest based on Section 3 of the State Aid Transparency Act.

Upon the Authority’s call, the company finally asked the beneficiaries to provide information on which data of their application they qualify as trade secrets. In general, it was found that a very large number of the beneficiaries regarded the application datasheets, the executive summary of the business plan, the situation assessment, the objectives, the results expected, the section concerning the current status from the part presenting the project, the main figures of the project’s budget and the scheduling of the project as accessible. In other words, the range of data assessed to be issuable by the beneficiaries was much wider than the range of data originally assessed as accessible to the public by the company – this was particularly spectacular in the case of the business plan.

As to fulfilling data requests in the future, the company has to draw the conclusion that instead of excluding public access to their full application documentation, the data thereof have to be examined in detail, statements of the beneficiaries have to be obtained, which is the only way to declare on reasonable grounds, public access to which data qualifying as trade secrets would result in disproportionate injury to commercial activities and all this has to be substantiated towards those requesting data with detailed justification. Finally, the company complied with the Authority’s calls, however, the data never reached the person requesting them as his e-mail address changed in the meantime. The company did not send the data to the new e-mail address, because of this the Authority recommended that the person requesting the data submit the request again. (NAIH-653/2021)

There was another journalist, who submitted a request for data of public interest concerning the requests of specific companies sent to the invitation to participate in the Baross-19-NMG/2 project and their detailed documentation to CED Közép-európai Gazdaságfejlesztési Hálózat Nonprofit Kft. The company declared about all the application documentation that “they are not accessible to the public with regard to any of their parts”. In its call, the Authority underlined that in addition to explaining which data of the requested application materials qualify as trade secret and why, it is also necessary to explain the disclosure of which of the data qualifying as trade secret would cause disproportionate injury to the holder of the secrets. (NAIH-6850/2021)

12.2 Data for decision support

Organs discharging public duties frequently restrict access to data related to the evaluation of applications with reference to Section 27(5)-(6) of the Privacy Act, without giving adequately detailed justification for the refusal of the data request.

The mayor’s office of a large rural town refused a data request on the application documentations, the number of those receiving personnel-related benefits in the projects and the amount of such benefits, justifying its refusal by referring to the relevant provision of the legislation only. In spite of being called upon by the Authority, they justified the restriction of access with regard to the blocked data as “not relevant to the project” in the documents subsequently sent to the person requesting the data. (NAIH-1338/2021)

The Authority called the attention of Emberi Erőforrás Támogatáskezelő (Human Resources Support Manager, hereinafter: EET) to the fact that the information provided to a person requesting data in relation to refusing to grant the request for data must contain the factual and legal reasons substantiating it. These reasons should be the results of examinations of form and content. A refusal supported with the appropriate reasons greatly contributes to the person requesting data becoming genuinely aware and understand why his request was not fulfilled. In addition, based on such information, he will be able to bring the right decision concerning an eventual legal remedy as well. The Authority established that EET did not act appropriately in refusing the request for data of public interest when it failed to provide a detailed justification. (NAIH-272/2021)

The Authority called the attention of the Ministry of Innovation and Technology (hereinafter: ITM) to the same issue in the case when the notifier complained that ITM did not fully meet his data requests related to OTKA applications submitted and evaluated in 2020. The data request concerned the list of applications reflecting the recommended order, submitted by OTKA main advisory board to ITM; also, the notifier requested the letters, memos and meeting protocols, which played a role in that the list of applications reflecting ITM’s decision did not correspond with the list of applications submitted to ITM by the OTKA main advisory board. ITM justified the restriction of public access (already in the course of the investigation) by claiming that a public discussion on the collective professional opinion of expert groups would jeopardize the purity of future procedures and access to the internal correspondence concomitant with day-to-day operational work would jeopardise ITM’s discharge of its tasks and exercise of its powers specified by law, free from unauthorized external influence and at the same time, the free expression of opinion by ITM employees when preparing for decisions, as well as the efficiency of the work in the future.

ITM failed to comply with the Authority’s call; because of this, a NAIH report was published on the case^{^[1]}, which underlined: access to the data on which decisions are founded can be restricted in properly justified cases; in the present case, however, substantial public interest was vested in the accessibility of the requested data, because the alteration of the order recommended by OTKA’s main advisory board – and the usual procedural order – was of major interest to the public, as well as to the scientific community and the requested data were indispensable sources of the transparency of the procedure in this application procedure, particularly with regard to the protocols of meetings. Of the documents on which the decision was based, only the data concerning the methods of evaluation, the criteria of evaluation and the evaluation of the winning applications have to be issued and only those which would explain the differences from the order recommended by OTKA’s main advisory board. The employees of organs discharging public tasks, acting within the responsibilities and powers of these organs, have good reason to expect that, since it is a principle laid down in the Fundamental Law, data concerning the method of evaluation of applications financed by public funds, the criteria of evaluation and the evaluation of the winning applications may be made accessible in the documents produced by them, particularly if they are the only sources of the requested information. (NAIH-2329/2021)

12.3 Disclosure of data concerning applications

A county self-government published a contract of support related to an EU application procedure, in which the name, position, signature, sign of the person signing the contract and the name, working place, phone number and e-mail address of the contact person were disclosed to the public. In its request for consultation, the self-government requested the Authority’s statement whether the data subject signing the contract who was otherwise a senior employee of an organ discharging public tasks could request the blocking of the above data.

The person signing the contract representing an organ discharging public tasks carried out a public task when he signed the contract, hence the name, position, signature and sign of this person qualifies as personal data accessible on public interest grounds.

The name, working place, phone number and e-mail address of the contact person acting on behalf of the selfgovernment can be regarded as data accessible on public interest grounds if he has a legal relationship of public service.

The publication of the contract containing personal data accessible on public interest grounds took place in accordance with the requirements of the Privacy Act, consequently the data subject may not request the blocking of these data. Act CXXII of 2009 on the More Economical Operation of Business Organisations in Public Ownership (hereinafter: Economical Operation Act) specifies the data, which the Széchenyi Programiroda Tanácsadó és Szolgáltató Nonprofit Kft. has to disclose. Based on Section 2(1) of the Economical Operation Act, the names, positions and signatures of the senior managers of this company are also data accessible on public interest grounds, while the data of the company’s contact person have to be disclosed, if they were generated in relation to the discharge of public tasks, such as in this case in the course of concluding the contract. The Authority does not consider it necessary to display the contact data of the company’s contact person on the website as. (NAIH6645/2021)

A municipality intended to publish the records of contracts and applications of less than 5 million forints on the city’s website in the form of individual disclosure and requested the Authority’s position about its lawfulness. The Authority expounded that it greatly supports the decision of the municipality, regards it as exemplary from the viewpoint of enforcing the fundamental right to access data of public interest, and thinks that other municipalities should follow it. At the same time, it called attention to the fact that in the course of the disclosure, personal data, which do not qualify as data accessible on public interest grounds, classified data, data according to Act LIV of 2018 on the Protection of Trade Secrets and other data subject to restricted accessibility must be blocked. The Authority recommended that the decision be made by the municipality in the form of a municipal decree, perhaps within the same framework as the rules mandatorily enacted in accordance with Section 30(6) of the Privacy Act. (NAIH-56302/2021)

In another investigation, the complainant objected to the fact that the data concerning the Széchenyi 2020 project can only be downloaded in a limited way extending to 300 hits and not for the entire database on the website www.palyazat.gov.hu in the supported project search function, hence he requested specific data of all the Széchenyi 2020 projects (operative programme, sub-measure, name of the applicant, project name, project description, settlement, date of the decision to support, brief summary of the project, aid awarded, source, country, intervention

category, EU co-financing rate, total cost of the project, commencement and end of implementation) to be sent in .csv format.

The Prime Minister’s Office refused to fulfil the request, because according to their position, the data request was governed by a statement in Constitutional Court Decision 13/2019 (IV.8) AB, according to which the controller is not under an obligation to create a new set of data filtered according to specific criteria and the person requesting the data may not demand that somebody else should collate the accessible data for him. According to the position of the Authority, however, Section 33(1) of the Privacy Act stipulates that access to data of the public interest, the publication of which is mandatory, shall be made available to the general public without personal identification on the internet website, without any restriction, in digital format, suitable for being printed or copied, without any partial loss or distortion of data, free of charge including perusal, downloading, printing, copying and transmitting through a network. (NAIH-4539-13/2021)

A Member of the European Parliament submitted a data request to Magyar Turisztikai Ügynökség Zrt. on which providers of accommodation benefited from the aid provided pursuant Government Decree 523/2020. (XI. 25.) on the partial compensation to accommodation providers for loss of revenue arising from to cancelled reservations and to what extent.

The company indicated the accessible source of the data, which is a list of beneficiaries, which included the beneficiaries of other applications also. The company gave the criteria of collation to the person requesting the data as follows: “The data requested by the person can be collated from the list concerning the circle of applicants, objective and amounts of other support provided by Kisfaludy 2030 Turisztikai Fejlesztő Zrt., taking into account that the data that can be read from the invitations to apply published also on the website referred to”.

In its call, the Authority underlined that it is not an obligation for the person requesting the data to search for the document, in which he may find the criteria on the basis of which, he may collate the requested data. If the person requesting the data is directed to a public data set, he must also be given unambiguous criteria for collation whereby he can select the requested data from the data set without consideration, simply and unambiguously. The Authority also emphasized that the accessibility of information concerning who gets public funds and how much as “basic data” relating to the spending of public funds is above any dispute. Finally, the company issued the requested data to the person who requested them in accordance with the Authority’s calls. (NAIH-2361/2021)

[1] https://naih.hu/files/Infoszab_jelentes_NAIH -2329 -2021.pdf

13. Preparation for legislation

In 2021, NAIH received a group notification from a complainant, who objected to the practice of ten ministries in fulfilling data request on the one hand, and the 45-day deadline for providing information applicable during the period of the epidemic, on the other hand. Originally, the notifier requested the various ministries to disclose impact assessment reports concerning legal regulations relating to the 2014-2018 governmental cycle, as well as other impact assessment documents. Based on Decree 2/2016. (IV. 29.) MvM by the Prime Minister’s Office on preliminary and subsequent impact assessments, an impact assessment is a process of collecting and analysing information whose primary goal is to improve the efficiency of regulation, including the examination of the likely consequences of the regulation, in sufficient detail adjusted to the assumed impacts of the regulation over a relevant time horizon and then summarising the results with a view to facilitating informed decision-making.

The ministries did not make the requested documents accessible. In their respective responses to being contacted by the Authority, it can be established that the Ministry of Human Resources, the Ministry of Justice, the Prime

Minister’s Cabinet Office and the Ministry of Foreign Affairs and Trade did not have the data of public interest requested by the notifier as they did not compile impact assessment reports.

The Ministry of the Interior argues that, based on the balancing of the public interest in the disclosure of the data and the public interest in the exclusion of disclosure, the content of the impact assessment reports also influences the decision-making processes of the legislator concerned, the Minister and the Government, and the processes cannot be considered closed at the end of a year, because in such cases, an informed decision can only be made through the comparison of several years of data and experience, and therefore the data cannot be disclosed even in numerical terms.

The Ministry of the Interior argues that, based on assessing public interest in accessing the data and in excluding their accessibility, the content of the impact assessment reports also influences the decision-making processes of the legislator concerned, the minister and the Government, and these processes cannot be regarded as closed by the end of a year because in such cases, an informed decision can only be made through the comparison of data over several years and experiences, hence the data cannot be made available to the public even in their quantitative aspects. NAIH did not accept this justification as the impact assessment reports only contain aggregated statistics for the given year, the practical experiences concerning the preparation, use and utilisation of impact assessments and recommendations concerning the improvement of impact assessment activities. Therefore, they should not be considered as a basis for one or more government decisions, particularly since the statistics are not used as a basis for decision-making or legislation.

The Prime Minister’s Office refused to issue the impact assessment reports claiming that the data in the impact assessment reports qualify as data supporting the decisions related to the operation and improvement of the impact assessment system.

The Authority issued a report in the case based on Section 59(1) of the Privacy Act, particularly in view of the fact that the contacted ministries exhibited substantially different practices as learned in relation to the case under study.^{^[1]}

[1] https://naih.hu/files/Infoszab_jelentes_NAIH_1227_7_2021.pdf

2019

1. Introduction

In 2019, the Freedom of Information Department had a total of 663 pending cases, of which 489 were initiated that year and 174 were cases carried over from the previous year. The number of authority proceedings for data protection initiated in 2019 was 11 (cases where there was a conflict or collision between the two information rights), and the number of consultation cases was 116.

In addition, the Department had 17 cases of delivering opinion on legislation. In this regard, it should be noted that Section 38 (4) (a) of the Privacy Act explicitly authorizes the Authority to give its opinion with respect to draft laws concerning data of public interest and to data accessible on public interest ground, which is in line with Section 7 (b) of Act CXXXI of 2010 on public participation in developing legislation. The latter Act aims to ensure widespread knowledge of the law as data of public interest as well as to promote social participation in the legislation.

Based on complaints received by the Authority in 2019, the interests of the citizens continue to be extremely diverse: it focuses on subjects among others like real estate acquisition statistics of foreigners to state aid for sports and sport events to the salaries of municipal notaries. In response to these, in the autumn of 2019, the NAIH also issued two detailed guides of great significance on the operation of the bodies of local governments and on public procurement data^{^[1]} . The Authority is convinced that the thematic professional guidelines will effectively contribute to the clear solution and uniform application of issues important for the public and for those applying the law.

[1] https://naih.hu/freedom-of-information-in-hungary.html

2. International outlook

As it was stated at the International FOI Symposium in Potsdam, held annually by the Brandenburg Information Commissioner¹³ , everyone should be aware that transparency is a multiplier for efficiency and opposing state intentions have a counterproductive effect.

In 2019, NAIH was one of the first to be accredited by the International Conference of Information Commissioners (ICIC)¹⁴ , which is the only international network of worldwide FOI supervisory bodies. The Authority has participated in the work of the ICIC Governance Group since its establishment.

In March 2019, participants from more than 50 countries convened in Johannesburg at the 11th International Conference of Information Commissioners (ICIC)¹⁵. The conference was chaired by Adv. Pansy Tlakula, Chairperson of the Information Regulator of South Africa (an independent body supervising the enforcement of the two information rights), nominated by the parliament for five years in 2016 and appointed by the President. Ms Pansy Tlakula served as Chairperson of the South African Commission on Human Rights from 1995 to 2002 and was a member of the African Commission on Human and Peoples’ Rights. From 201012, she held the mandates of Special Rapporteur on the African Model Law on Access to Information, which has since been used as a model legislation of 23 African countries.

At the conference, weighty consideration was given to the needs of vulnerable social groups. The final statement of the conference also emphasizes that it is vital for vulnerable groups not only to have access to information of public interest, but society must also be informed of their special situation and needs. Emphasis was placed on presenting different models for the status of the supervisory body - independent or joint legal protection with data protection, independence criteria, separate law or common legal norm, etc. The other main issue concerned the interaction between data protection and freedom of information. African Information Commissioners have repeatedly emphasized that the right of access to information that functions as Community law clearly takes precedence over the right to the protection of personal data as an individual right in Africa. At the same time, the growing nature of the interaction is undeniable, for example in the field of electoral procedures, the publicity of public databases or public officials.

Another important event of international importance is the continuation of the Case Handling Workshop placing practical topics on the agenda, which was held for the first time in Budapest last year. In 2019, the event was hosted by the Gibraltar Supervisory Authority^{^[1]} and focused on the issue of the conflicts between competing legal regimes in freedom of information matters, government contracts with businesses or transparency in the work of emergency hotline services.

[1] https://www.gra.gi/data-protection/press-releases/freedom-of-information-workshop

3. Important decisions of the Constitutional Court

In 2019, the Constitutional Court adopted several major decisions on FOI, which are of particular significance in the interpretation of law by the Authority.

Decision of the Constitutional Court 3190/2019. (VII. 16.) on publicity of the Paks II. nuclear power plant impact studies

Taking also into account the Authority’s resolution NAIH/2017/2365/2/T, the Constitutional Court rejected the constitutional complaint against the decision of the Szekszard Regional Court on the refusal to disclose data of public interest.

The complainant requested all impact studies related to the expansion of the Paks Nuclear Power Plant to be made available by the nuclear power plant developing company MVM Paks II. Atomerőmű Fejlesztő Zrt. The data request was rejected with reference to the possible restriction of the right to access data underlying a decision. The court found this argument to be well-grounded. According to the Constitutional Court, what constitutes a decision in terms of freedom of information is a question of interpretation of an intergovernmental agreement promulgated by law. The legal interpretation of the court, including the scope of environmental data, complies with the provisions of the Fundamental Law, as in a series of negotiations concerning investments of national security and national strategic importance, such as the expansion of the Paks Nuclear Power Plant, the protection of the Hungarian negotiator and the Hungarian state may make it necessary to restrict the right to access data of public interest

Decision of the Constitutional Court 3147/2019. (VI. 26.) on the obligation of confidentiality of the „data subject” of data accessible on public interest grounds concerning the use of public funds

A serial actor concluded an assignment contract with a film production company on playing the main character of a movie series financed by the Media Services and Support Trust Fund (MTVA). The actor has also undertaken in the contract – under the obligation of penalty payment – to handle the assignment fee as a business secret. When the production company had called off the assignment contract concluded with the actor, he disclosed the amount of the assignment fee in a press product on the internet. The production company sued the actor for the payment of the penalty. The courts of first and second instances had obliged the petitioner to pay the penalty and the Curia approved the final judgement. The Constitutional Court did not take a position on whether the disputed data (e.g. the information on the amount of the assignment fee included in the contract and subject to the obligation of confidentiality) qualifies as a data of public interest or data accessible on public interest grounds, as it is the duty of the courts to assess this in case of legal dispute. However, the Constitutional Court pointed out that organisations managing public funds shall not deny access to data accessible on public interest merely with reference to a contractual confidentiality clause.

Decision of the Constitutional Court 3069/2019. (IV. 10.) and Decision of the Constitutional Court 3070/2019. (IV. 10.): in the case of publicity of data related to the opinions and resolutions obtained in the context of preparing the uniformity decision of the Curia, the examination of the content of the data, on which the decision is based, is obligatory

In the underlying case of the constitutional complaint the petitioner asked the court – after the rejection of its request for the disclosure of data of public interest – to bind the Curia to disclose the data related to the opinions obtained in the context of preparing the relevant uniformity decision of civil law.

The Constitutional Court has found the following:

The decisions of public servants are prepared freely, informally and free from public pressure. Thus, the requirement of publicity applies only to the final outcome rather than the intermediary working materials. The legal interpretation that considers the totality of the requested documents – irrespectively to their content – as data that serve the purpose of supporting the decision-making, this way preventing access to the documents, allows for the unjustifiably broad – therefore unnecessary – restriction of the right to access data of public interest. In the case under review, the Constitutional Court established that, as the court had had no information about the identity of the persons who had provided external opinion and about the content of the opinions, it had decided in the case without actually examining the material justification of restricting publicity. This way the court placed the totality of the requested documents under the restriction of publicity without paying attention to their content. A judicial decision that allows for the restriction of fundamental rights to an extent wider than necessary is incompatible with the Fundamental Laws.

Decision of the Constitutional Court 13/2019. (IV. 8.): interpretation of the definition of data of public interest, the limits of the obligation to produce data of public interest

The petitioner requested(in the framework of a scientific research) data disclosure in the public interest, the Curia to disclose the list and certain data (case numbers, date of submitting the statement of claim, the names of the litigating parties in the case of legal entities) of civil litigations pending for at least seven years. However, the Curia stated that it was unable to provide the requested list of data as it did not have a record on the dates of submitting the statement of claim.

The Constitutional Court pointed out: request for data – not exercised in an abusive manner - should not be refused by referring to the extra work implying time or cost needed for making the requested data accessible. Nevertheless, a differentiation should be made concerning the case when the request for data is not aimed at disclosing data retrievable with additional work, but for inducing the controller to obtain new data or create data of another quantity, statistics or statements from the data it processes otherwise. The openness of the operation of the judiciary as a separate branch of power, does not differ fundamentally from that of other organizations financed from public funds. The duty of the Curia is to develop the uniformity of the case law of the courts and, primarily, to decide about extraordinary legal remedies. The date of submission of the statement of claim and the connected duration of the procedure reaching or extending over seven years - although it is deductible from the court files - is not considered as data created in connection with the Curia’s activity or the performance of its public duties. Furthermore, the Curia has no monopoly over the information requested to be disclosed as the court of first instance, in accordance with its duties specified in the procedural Acts, necessarily contributes to all essential points of the civil procedure, including the registration of the date of submitting the statement of claim. By taking into consideration all circumstances, the Constitutional Court rejected the petitioner’s constitutional complaint.

Decision of the Constitutional Court 29/2019. (XI. 4.): criticism of a person performing public duties (notary) in social media - the question of proving reality

In multiple cases in 2011, a citizen criticised the notary of the municipality on the message board belonging to his own account of an Internet social media portal. Furthermore, at a local public hearing, he stated before the public that the victim notary had denounced him twice and he had made a false testimony at the police.

In the action brought by the notary for the enforcement of personality rights, the Curia maintained the force of the judgements of the courts of first and second instances stating that the petitioner was guilty of the offence of libel and the continuous offence of defamation. According to the reasoning of the Curia, what was said is relevant only in relation to the accused and the aggrieved party, and not in the context of the public life of the city, so it certainly cannot be regarded as information of public interest, and their presentation at a public hearing was not justified by a legitimate private interest.

On the basis of the complaint submitted by the petitioner, the Constitutional Court annulled the Curia’s approving ruling maintaining the force of the judgements of the courts of first and second instances, stating that the court made its decision in accordance with the relevant constitutional criteria, but the constitutional conclusions drawn from it are incorrect. When interpreting the limits of freedom of expression, especially its restriction by criminal law, the Constitutional Court has set a stricter standard than “offence to the sense of honour”. According to the interpretation that further develops the previous practice on the basis of the Fundamental Law, in the debate of public affairs, criticism or value judgment affecting the exerciser of public power or a public figure cannot, as a general rule, be the basis for legal liability. In this context, only those communications go beyond the constitutional limit of freedom of expression that offend human dignity, i.e. the content of dignity that legally captures the essence of human nature. Furthermore, the reasoning of the judgment against which complaint was submitted, did not set out the reasons why the statement of facts in question was ‘relevant only in relation to the accused and the aggrieved party, and not in the context of the public life of the city’.

After the decision, the Curia repeated the review procedure and again it maintained the force of the final decision. Against this decision, the petitioner filed a second constitutional complaint with the Constitutional Court, according to which there is no obstacle for the court to reaching a different conclusion from the challenged decision as a result of balancing between freedom of expression and the protection of reputation. The expressions used by the petitioner had been protected by the freedom of expression, because the criticism had not violated the essential core of the human dignity of the affected public figure. However, by maintaining the force of judicial decisions that criminalised the protected expression of opinion of the petitioner, the Curia violated the petitioner’s right under Article IX (1) of the Fundamental Law. In connection with the reference to false testimony, the Constitutional Court considered the challenged judicial decision unconstitutional because it did not state why the statement of facts relating to the aggrieved party fell outside the scope of debate of public affairs. In the debate of public affairs, the accused must be given an opportunity to prove the truthfulness of its statement considered as defamation. This cannot be substituted, if in the course of a review procedure (when the subsequent taking of new evidence is not possible), the Curia concludes that the statement of the accused has already been established to be untrue.It is one of the guarantees of the freedom of expression that the courts examine, also in the framework of the basic procedure, the truthfulness of the statements made by the accused person, and this person may enforce his or her procedural rights in a formal way. The Constitutional Court therefore annulled the decision again and, in view of the importance of the constitutional issue, ordered that the decision be published in the Hungarian Gazette.

4. Rules of the Reimbursement of Costs Regarding Data Requests – Recent developments

In the autumn of 2019, the Constitutional Court dealt with the reimbursement of costs related to the disclosure of data of public interest in two decisions:

Decision of the Constitutional Court on the examination of the posterior norm control against Section 4 (4) of the Government Decree 301/2016. (IX. 30.) on the amount of the cost reimbursement chargeable for performing a request for data of public interest (Case Nr.: II/1808/2016.sz.)

The provision challenged by 58 members of parliament (MP) regulates the amount of the cost reimbursement chargeable for performing a request for data of public interest. According to the petitioner MPs, the challenged provision does not take into account the average wage costs of the staff members engaged in the relevant activity, and the hourly rate of HUF 4,400 is exaggerated, therefore, the provision is in breach of the right to access data of public interest, as it requires payment in consideration of exercising a fundamental right. The Constitutional Court first pointed out that it is not obligatory to charge a cost reimbursement for the labour input used in the course of performing the request for data of public interest, and even if it is indeed charged, neither the Privacy Act, nor the Government Decree specify in advance the exact amount chargeable for using the workforce, as it actually depends on the real labour costs.

Therefore, the Constitutional Court states that the provision, which only specifies the maximum amount of the labour charge per working hours connected to performing the data request is not contrary to the provision of the Fundamental Act. Actually, the challenged provision is not a limitation on the freedom of information, as in a certain sense, – by introducing the upper limit – it facilitates access to data of public interest and data accessible on public interest grounds, since in the case of annulling the provision, the position of the parties requesting data would become less advantageous than the present one. With regard to the above, the Constitutional Court rejected the petition of the MPs for posterior norm control.

Decision of the Constitutional Court relating to the constitutional complaint against the judgement No. Pfv.IV.22.218/2017/4 of the Curia (reimbursement of costs for performing a request for data of public interest) (Case Nr.: IV/1013/2019.)

The petition essentially contained criticism of the judicial interpretation and application of law in connection with the reimbursement of expenses related to paperbased data disclosure by post. The petitioner requesting the data considered the postage fee of HUF 680, determined on the basis of the Government Decree, to be infringing. First, the petitioners applied to the NAIH, and then, after the NAIH did not established an infringement, an action was brought before the court to modify the reimbursement of costs related to the disclosure of data of public interest. They argued that, under the relevant legislation, postage cost can only be charged for sending a copy of the document containing the requested information, but not for a simple reply letter without a copy. They also questioned that they would be required to reimburse postage costs for two letters. The courts found that the reimbursement was made in accordance with the provisions of the Privacy Act and the Government Decree, as the paper in the postal envelope containing the reply shall be considered as a data media. The amount of the reimbursement is also not unlawful, as double postage cost was charged for mailing to the two applicants. The petitioner then filed a constitutional complaint with the Constitutional Court, which found that the mere fact that the petitioner considered the reasoning of the otherwise justified court judgment to be incorrect, was not a constitutional issue. Pursuant to the Government Decree, the cost of workforce may not exceed HUF 4,400. This amount was calculated on the basis of the gross hourly earnings of the civil servants employed full-time at central budget bodies, as provided by the Central Statistical Office during the preparation of legislation, by rounding it up (the exact amount was HUF 4353.4). The legal provision has been adjusted to this amount because many types of bodies, different in terms of their legal status and operational framework, are obliged to fulfill requests for data in the public interest, and the employees of these bodies are also subject to different laws on legal status. Nevertheless, according to the presumption of the legislator, data requests are typically fulfilled by central state administration bodies, therefore it is justified to take the average earnings of persons employed here as civil servants as a basis.

In 2019, the NAIH received 32 complaints by citizens objecting to the legal basis of charging reimbursement of costs or disputing the amounts charged. The Ministry of Finance, the Hungarian Central Bank, the Public Procurement and Supply Directorate, local governments, government offices, as well as companies owned by state or local government, and public institutions were among the data controllers. The amounts determined showed a great variety; sums of a few 10 thousands of forints were most usual, but there were charges running up to several hundred thousands, and in some striking cases even million forints (Pécs Sport Nonprofit Zrt .: HUF 4,841,000; Hungarian Army Health Center: HUF 3,805,000, National Police Headquarters: HUF 2,966,575). The highest cost reimbursement, nearly HUF 9 million, was determined by the Hungarian Tennis Association.

Significant proportion of the cases closed resulted in the data controller fulfilling data requests without charging fees or reducing the fees based on miscalculation and returning the fees that had been paid. This was the result of our inquiries of e.g. the Hungarian Central Bank, the Public Procurement and Supply Directorate, the FEV IX. Ferencváros Asset Management and City Development Inc., and the Érd District Office of the Pest County Government Office.

At the same however, it is true that several inquiries commenced last year were still unclosed at the time of drafting the report, as the positions did not come nearer even after several exchanges of correspondence. In one such case, the Ministry of Finance established a reimbursement fee of HUF 33,033 for 17 working hours related to the fulfillment of the data request, and a reimbursement fee of HUF 36,510 for 19 working hours. In both cases, the Authority found that the fulfilment of the data request cannot be considered to be a disproportionate use of the workforce for an organization of this size. (NAIH/2019/944, NAIH/2019/982).

Fulfilling a data request necessarily involves certain amount workforce allocation – this is an institutional concomitant of the fundamental right to access data of public interest. However, organs performing public duties shall be prepared to receive requests for access to data of public interest, or data accessible on public interest grounds related to any of their activities. The Authority came to a similar conclusion in the case of the fee of HUF 176,000 determined by the NIF Hungarian National Infrastructure Development Company. Due to the disagreement of the data controller, the inquiry ended with the publication of the findings. (NAIH/2019/507).

In court (remedy) proceedings, the burden of proof for the justification of the amount of the fee, shall lie with the controller, therefore, it is important to have a detailed, accurate calculation and documented costs. The court may modify the amount charged for fulfilling the request for access to the data of public interest, or may order the organ performing public duties to commence a new procedure to determine the amount of the fee payable.

The right of access to data of public interest is not an unrestricted fundamental right, however, it enjoys privileged constitutional protection as one of the conditions for and part of the exercise of the right to freedom of expression.

Accordingly, laws restricting freedom of information must always be interpreted strictly. In a concrete case of a complainant, and in accordance with Section 4 (3) of the Decree, the Authority found that the amount of the social contribution tax to be paid by the employer could not be charged to the data requester, therefore ordered the data controller to repay it. The municipality concerned complied with the order. (NAIH/2019/5705)

Freedom of information as a fundamental right requires transparency served by sufficiently detailed information on the reimbursement of costs relating to the fulfilment of data requests, in which the public service bodies are obliged to indicate all the reasons and cost elements that were taken into account when determining the fee. Appropriate information contributes greatly to the data requester’s true understanding of why and what reimbursement he or she must pay in order to obtain access to the data he or she wishes to know.

The amount of workforce cost should be calculated based on the actual work processes. The Authority has repeatedly drawn the attention of data controllers to give an explanation what work processes are required by fulfilling the data request. In one case, the ORFK informed the data requester that headcount and decommissioning data, covering the entire professional police staff, were handled by the police based on the data of January 1 of each year. Thus, in order to compile a statement containing data broken down by body and on a monthly basis, it would be necessary to carry out a national data collection involving all relevant police bodies exercising the employer’s rights. Accordingly, the ORFK precisely indicated the circumstance due to which the fulfillment of the data request would have involved a disproportionate use of the workforce necessary for the performance of the core activity of the body performing public duties. (NAIH/2019/4306). In such cases, it is also worth for data requesters to consider whether it is appropriate to maintain the request for data of public interest in an unchanged form. Data requesters may at any time, after consulting the controller, decide to change the form or manner in which they wish to receive data of public interest, of course in such a way that the data request achieves its purpose, thereby significantly reducing or even eliminating the cost of the data request.

In another case, an organ performing public duties provided for significant reimbursement (HUF 355,600) for the sole reason that „the involvement of a DPO (Data Protection Officer) is necessary for the data protection control of contracts”. In this regard, the Authority drew the data controller’s attention to the fact that the mere fact that certain personal data in the contracts have to be anonymised and that this task is controlled by the DPO, does not justify the claim for reimbursement (NAIH / 2019/5915).

In cost-reimbursement cases, it is also important to emphasize that when determining the reimbursement of less than HUF 5,000, the fulfilling of the data request cannot be made subject to prior payment of a specified fee, and the first 4 working hours cannot be charged in advance [Government Decree Section 3 (1)]. It often causes uncertainty that it is not clearly indicated in the cost calculation if the said 4 working hours have already been deducted.

5. Important court decisions

I. Market operators that establish a financial or business relationship with a person or organisation belonging to one of the sub-systems of the public finances, shall expect wider publicity.

II. If the request meets the minimum requirements for the specific identification of the requested data, the request shall be dealt with on the merits. Furthermore, if necessary, as a sort of active obligation, the requesting party shall be called on to clarify the request. (Court of Appeal of Pécs Pf.III.20.036/2019/4.)

If the data controller cannot prove in a lawsuit for access to data of public interest a decision-making process in which the data to be disclosed is used, it cannot effectively refer to the decision-underlying nature of the data, or to the fact that the disclosure of the data would jeopardize the lawful functioning of the organ performing public duties, or would jeopardise the performance of its duties without any undue external influence. Restrictions on publicity cannot be based on the possibility of an opinion being delivered at an uncertain date in the future. (Metropolitan Court of Appeal 32.Pf.20.913/2018/4-II.)

When fulfilling requests for data of public interest, bodies performing public duties shall, as a general rule, make the requested data available to citizens free of charge in the normal course of day-to-day operations. Fulfilling the data request necessarily involves a certain amount of workforce - this is an institutional concomitant of the fundamental right to access data of public interest. Only the cost of workforce exceeding four working hours may be charged to the data requester, if the fulfilment of the data request would involve a disproportionate use of the workforce necessary for the performance of the activities of the body performing public duties. The assessment of this shall be made in each case by careful consideration of all the circumstances. (Metropolitan Court of Appeal 8.Pf.20.420/2019/5.)

III. Personal and special data disclosed during court proceedings do not share the legal fate of data of public interest or data accessible on public interest grounds. II. The publicity of the hearing in the litigation procedure is not the same as publicity of the litigation documents. Interested parties may appear at the hearing and observe the oral procedure, but this right does not include access to documents. Documents in litigation procedure, including the minutes of hearings, may not be disclosed because of the personal data they contain, even if the procedural act of which they were made, has otherwise taken place in public. (BDT2005. 1277., Court of Appeal of Győr Pf.I.20.238/2016/7., Metropolitan Court of Appeal

17.Pf.21.336/2017/7., Court of Appeal of Szeged Pf.I.21.182/2017/14.)

On the interpretation of Section 27 (3a)^{^[1]} of the Privacy Act:

’The court of second instance shared the view of the judgment at first-instance regarding that the defendant, as a person outside the public finances, manages its own assets, risks and responsibilities when concluding material supply contracts, in order to fulfil a business agreement with a person belonging to the subsystems of the public finances. However, in the view of the Court of Appeal, it is not relevant that this created a new obligation. On the other hand, the Court of Appeal emphasizes that the link between the data, obtained in the context of the legal relationship between the defendant and its suppliers relating to the type, quantity, source and cost of all raw materials built-in in an EU-funded investment, and the public funds as a source, is too remote and indirect for the defendant to provide information about its details as data accessible on public interest grounds in accordance with the rules of Section 27 (3a) of the Privacy Act. On the basis of a grammatical interpretation of this section, the court of second instance also states that it is the person establishing a financial or business relationship with a person belonging to the sub-system of the public finances, who is obliged to provide data, namely with regard to the data accessible on public interest grounds relating to the legal relationship between the two of them. The contracts between the defendant and its subcontractors are not related to the sub-systems of public finances, thus the obligation to disclose data pursuant to

Section 27 (3a) of the Privacy Act cannot be interpreted for them.’

Judgement Nr. 8.Pf.20.031/2019/5. of the Metropolitan Court of Appeal

[1] Section 27. § (3a) of the Privacy Act: A natural person, legal person or organisation having no legal personality that establishes a financial or business relationship with a person belonging to one of the sub-systems of the public finances shall, upon request, provide information to anyone with respect to data that is public on public interest grounds based on paragraph (3) and that is in connection with such a relationship. The obligation to provide information can be fulfilled by disclosing the data accessible on public interest grounds, or by indicating the public source that contains the data disclosed earlier in an electronic form

6. Data of persons in the public service accessible on public interest

In the 2018 annual report of the NAIH, we devoted a separate subchapter to the publicity of data of employees accessible on public interest grounds, and the publicity of certain types of data in various categories of employment relations.

In 2019, one of the important developments in this area is that Act CXXV of 2018 on Government Administration (hereinafter: Government Administration Act or Kit.) entered into force on 1 January 2019, which created a separate law for the legal relationship of public service officials (government officials, state officials).

Act CXCIX of 2011 on Public Service Officials (hereinafter: Kttv.) lists which data are considered to be data accessible on public interest grounds (the name, citizenship, the name of the public administration organ employer, the beginning of public service relationship, classification data, position, date of appointment to lead position, granting of title, and remuneration).

However, neither the Government Administration Act nor Act CVII of 2019 on special status bodies and the status of their employees (hereinafter: Küt.), applicable only from 1 May 2020, contains a provision analogous to this.

As a result, the situation has arisen that different rules of publicity may be applied to employees of public administration bodies subject to different laws (Kttv., Kit., Küt.). Thus, while in respect of an employee in the public service subject to the Kttv, the data listed above, including the remuneration, are accessible on public interest grounds, but these data in the case of an employee holding a similar position but subject to the Kit. or Küt., no longer qualify as data accessible on public interest grounds pursuant to the Kit. and Küt.

On the one hand, this may, without a justifiable constitutional reason, lead to the discrimination of employees subject to the Kit., Küt. or Kttv., who, in the opinion of the Authority, belong to a homogeneous group, and to the violation of the requirement of equal treatment. On the other hand, it also results in a situation that violates the legal certainty in the application of law, with regard to Section 26 (2) of the Privacy Act.

Pursuant to Section 26 (2) of the Privacy Act, the name of the person acting within the functions and powers of the organ performing public duties, as well as his functions and duties, executive mandate, and his other personal data relevant to performing public duties, shall qualify as data accessible on public interest grounds.

On the basis of the consistent practice of the Authority related to this provision, the data on relating to remuneration is considered to be data accessible on public interest grounds in the case of an employee acting within the functions of the organ performing public duties. Having regard to the provisions of the Privacy Act, there is no reason to deviate from this practice, even after the Kit. and Küt. entered into force.

At the same time, for the sake of legal certainty, it should be avoided that in the absence of a specific provision requiring publicity among the types of data specified by law, the scope of interpretation of the term ‘data relevant to performing public duties’, as specified in Section 26 (2) of the Privacy Act, is referred by the regulation to the scope of the abstract legal interpretation of the data controller body performing public duties, requiring individual consideration.

The Authority’s experience also confirms the difficulties of legal interpretation arising from this legal situation. In connection with a specific notification in 2019, the Authority took the position that the remuneration and bonus of the head of the government office, as well as of the head and deputies of the district office subject to Kit. are data accessible on public interest grounds, given that they are clearly related to the function of persons performing public duties. However, other social benefits are no longer considered data accessible on public interest grounds. In relation to them, instead of providing personal data, only aggregated data shall be provided in a nonidentifiable manner.

In line with the domestic law enforcement practice and the previous decisions of the Constitutional Court, as well as with its resolution NAIH/2015/7163/2/V, the position of the Authority is unchanged regarding that the scope of data, specified in Section 179 of the Kttv., in relation to employees subject to the Kit. and Küt. shall be accessible on public interest grounds.

On the basis of the above, the Authority addressed a recommendation to the Ministry of Justice to prepare the necessary amendments to create a clear legal situation.

7. Local public affairs – openness of the operation of the bodies of local governments

2019 was a year of local elections and the increased interest of the constituent citizens in the transparency of local government operations became noticeable already in the previous period. Furthermore, the new representatives and mayors also raised issues and asked questions in many cases. A full^{^[1]} as well as an abridged version^{^[2]} of the NAIH guide on the openness of the operation of the bodies of local governments is available on our website, and this professional compilation reached all local governments through the Local Government Newsletter edited by the Ministry of Interior. The guide highlights the enforcement of the data principle rather than the document principle, furthermore, it details the conditions of closed sessions, the right of the municipal representatives to access data, the publicity of welfare cases, accessible information on municipal rental housing and provides guidance on mandatory publication of data and anonymisation.

The guide emphasizes that the local government representative does not have independent tasks and powers. Thus, his or her work primarily involves participating in the preparation, organization and monitoring of decisions on certain matters falling within the decision-making competence of the body of representatives and its committees. In the performance of his duties, the representative may access the necessary amount of data only during the discharge of the public task, in accordance with the principle of necessity and proportionality of the data processing. This also applies to the protocol of closed sessions held before the term of office of the representative, as well as to access to the data of the welfare records kept by the municipal notary. Thus, the representative may only have access to the relevant documents in a specific case to the extent necessary for the discharge of his tasks. (NAIH/2019/8161).

With regard to the protected data obtained in connection with their duties, the representatives and committee members may not provide information to third parties, they may not forward the data to them or allow them to inspect them.

When implementing data security, the main goal is to prevent the transfer of data to unauthorized persons. This can also be achieved if an internal, closed electronic mail circle is provided for the local government representative or committee member, thus preventing the document from being sent or forwarded to an “external” e-mail address. (NAIH/2019/8337.)

From the viewpoint of data protection, the correct procedure is when the submissions produced for the closed session are returned by the participants of the session after the decision of merit is made. It is expected of the person chairing the session to warn the participants of the session to handle the information on the case confidentially and their related obligation of confidentiality.

The submissions to and the protocol of the closed session shall not be subject to the obligation of publication, only the anonymised decisions of the closed session or the decision itself must be published. The Authority is consistent in its view that a request for access to data of the closed session cannot be rejected without examination on the merit, on the sole ground that the matter was discussed or decided in closed session and therefore cannot be disclosed.

Whether a session of the body of representatives is open or closed will determine the accessibility of the submissions and the decisions made there, as well as the protocol of it. The submissions and statements made at open sessions and the events taking place there qualify as data of public interest (or public data accessible on grounds of public interest), hence as a major rule the relevant data and information (submission, decisions, voting ratios) can be accessed freely by anyone without limitation and they can be disseminated. At the same time, it may happen that the documents of the open session include data subject to restriction on access.

In such a case all the protected data must be rendered illegible in all of the documents concerned. The obligation to protect the data holds despite and besides publication.

In the case of disposal over municipal assets and in the cases listed under Section 46(2) c) of the Local Government Act^{^[3]} –if an open session would infringe upon the business interests of the local government or another stakeholder, the body of representatives may order a closed session –exercising its power to weigh the matter. In line with the Fundamental Law, Section 7 of the National Assets Act^{^[4]} declares that the fundamental purpose of the national assets is to ensure the discharge of public tasks.

In the context of the possibility of discussing submissions related to municipal assets in closed session, the Authority underlines the importance of ensuring a wide range of publicity and if possible, not to order a closed session.

Resolving the conflict between trade secrets and the freedom of information, Section 27(3) of the Privacy Act, in case of the use of public funds, qualifies the “quasi” trade secrets as data accessible on public interest grounds. In this case, if the discloser expressly marks the parts concerning the trade secret and explains in detail the reasons for protection of the trade secret, the local government, as its contracting party, may not disclose it.

Section 46 of the Local Government Act provides for the openness of the sessions of the body of representatives and the conditions of holding closed sessions. Section 2 of the Local Government Act declares the openness of the sessions of the body of representatives as a principle, which is confirmed by the legislator in Section 46 (1) of the Local Government Act. In addition, each body of representatives must determine separately, in its own operating rules, how to ensure publicity, which binds the local government in disclosing the data. Participation in an open session of the body of representatives can take several forms: most often in person, but more and more local governments use live coverage of the sessions of the body of representatives e.g. on the local / local government television or radio channel or on the Internet (on the website of the local government, or social media), as a way of ensuring publicity. Pursuant to Section 26 (2) of the Privacy Act, personal data accessible on public interest grounds included in these recordings may be disseminated in compliance with the principle of purpose limitation. (NAIH/2019/7890, NAIH/2019/8077, NAIH/2019/8173, NAIH/2019/8256, NAIH/2019/8337).

[1] https://naih.hu/files/NAIH-guide-on-the-openness-of-then-operation-of-the-bodies-of-localgovernments2019.pdf

[2] https://naih.hu/files/ShortNAIHGuide-on-then-openness-of-the-operation-of-the-bodies-of-localgovernments.pdfhttps://naih.hu/files/ShortNAIHGuide-on-then-openness-of-the-operation-of-the-bodies-of-localgovernments.pdf

[3] Local Government Act: Act CLXXXIX of 2011 on the Local Governments of Hungary

[4] National Assets Act: Act CXCVI of 2011 on the National Assets of Hungary

8. Publicity of Public Procurement Data

Public procurement procedures are initiated by organisations managing public funds or certain undertakings outside the competitive sector (such as energy or water suppliers, public transportation companies, postal service providers) to procure services, goods or works above a certain value limit. Ensuring transparency and the public’s ability to control the efficient use of public funds is one of the key principles of the public procurement procedure. The Authority is of the firm view that, both the acts of the contracting authority and the documents submitted by tenderers in public procurement procedures fundamentally contain data of public interest and data accessible on public interest grounds. Publicity and transparency can be ensured through mandatory publication, inspecting documents and the fulfilment of requests for data of public interest.

The phases of the public procurement procedure:

Preparatory phase: planning public procurement procedures, annual public procurement plan, drafting the rules of public procurement
Launching the public procurement procedure -invitation to tender III. Supplementary informations
Preliminary dispute resolution, inspecting documents
Opening of the tenders received
Bid evaluation (summary of tender evaluation)

Request to make up for deficiencies
Notification of the tenderers on the results of the procedure (eventually legal remedy procedure, inspection of documents)

Conclusion of the contract with the winning tenderer, performance

The decisive point in terms of freedom of information is the decision on the selection of the winning tenderer and the conclusion of the contract. From then on, the data of the public procurement procedure can no longer be qualified as data supporting decision-making.

The law explicitly specifies to whom, when and what data shall be published in the electronic public procurement system (EKR) and on the website of the Public Procurement Authority. Thus, the public procurement plan, the names of the contracting parties, the concluded contracts and any amendments to the contract, as well as the data relating to the performance of the contract shall be published. These data are published at the Internet site https://ekr.gov.hu/portal/¬kezdolap.

The rules of general administrative procedure apply to the public procurement procedure and the legal remedy procedure of the Public Procurement Arbitration Board, based on which tenderers and other clients may, in justified cases, exercise their right to inspect documents (subject to restrictions). In the consistently held opinion of the Authority^{^[1]}, the right to access data of public interest, as a constitutional right, is broader than the right to inspect documents of which has an administrative procedural nature. The fact itself that the data requested to be accessed are used in a public procurement procedure or are generated in the course does not deprive them of their character as data of public interest, moreover precisely in this way these data will become data of public interest. In the case of procurement procedures closed by a decision, as a general rule, the documents shall be accessible (including, for example, the full winning tender, with the exception of trade secrets, or the data of not winning tenders that are necessary for comparison).

Following the conclusion of a defense and security procurement procedure, in addition to the general rules of the Privacy Act, the special provisions of the separate law must be applied to the accessibility of the data of defense procurements. In the interests of ensuring the transparency of managing public funds, trade secrets do not necessarily constitute a barrier to accessibility in this area, but the law provides a limited opportunity to qualify protected knowledge (such as technological processes, know-how, business strategies, etc.) that is important for management efficiency, as secrets. The rightful financial, economic or market interest of economic operators may override the public interest linked to accessing the data, but this must always be decided on an individual basis, after careful consideration.

[1] See NAIH Report 2018, page 113

9. Data underlying a decision

According to the resolution of NAIH (NAIH/2019/1824), the data controller lawfully refused to fulfil the request to access data of public interest when a complainant asked the Hungarian National Police Headquarters what police movements had taken place due to the demonstrations since 12th December 2018. The data requester asked, on a daily basis, from which towns police officers were assigned to Budapest, how many police officers were assigned, broken down by towns. Furthermore, the data requester asked how many police officers in total participated in the law enforcement operations and what “rank” they had.

Two previous judgments of the Metropolitan Court shall be taken into consideration in this case:

‘The specific headcount data of each police unit, the size and type of technical equipment available, and the knowledge of the names used in police radio broadcasting contain facts and circumstances that may indeed be suitable for preparing a subsequent decision.’ Furthermore ‘the aggregate statement of assets, the statement of the costs of the additional tasks incurred in connection with the mass demonstration, […] the event log shall contain data, the knowledge of which may be suitable for jeopardising the lawful functioning of the organ performing its tasks and competences without any undue external influence. (19.P24/882/2009/14)
‘In the case of data relating to the exact headcount of units involved in the operation, different police call numbers and the description of the technical means associated with each unit, a reference to these data as decision-preparing data is justified’. Furthermore, in other similar cases, an indication of the stuff number of the police securing the facility and event, as well as what technical means can be attached to the units may indeed be suitable to facilitate the preparation of a decision or to ensure lawful functioning and performance of the tasks and competences of the organ without any undue external influence. (19.P.24.246/2010/9)

In another case, a civil society organisation contacted the Ministry of Human Resources (EMMI) and requested to receive the ministerial response given to the recommendation of the Commissioner for Fundamental Rights in his inquiry into homelessness in particularly dangerous weather conditions („Red Code”). According to EMMI, this ministerial response letter is not considered to be of public interest and therefore, it shall not be subject of a request for data of public interest. In the course of the investigation, EMMI also claimed that the document contained data underlying a decision and, as the data requester requested the full document to be made accessible, it was not possible to fulfil the data request.

In a further request to substantiate the quality of the decision-preparing data, the EMMI explained that, in their view, according to Act CXI of 2011 on the Commissioner for Fundamental Rights, the response of the investigated authority to the Ombudsman’s recommendations is not considered to be data of public interest until the Commissioner for Fundamental Rights provides information on the cessation of the fundamental rights violation revealed in his report. Prior to this, we can only talk about intermediate working materials, which in this case are related to the material of a draft legislation still in preparatory stage related to homelessness care. Therefore, knowing the position of the Ministry would endanger the free expression of the standpoint of the preparers of the draft legislation during the preparatory work of subsequent decisions.

In its resolution, the Authority referred to the fact that the Commissioner for Fundamental Rights promotes and protects human rights by carrying out social consciousness and awareness-raising activities and by cooperating with organizations and national institutions aimed at promoting the protection of fundamental rights. The Commissioner for Fundamental Rights shall prepare a public report on his inquiries, setting out the findings of fact, and conclusions drawn therefrom. The published report may not contain personal data, classified data, secrets protected by law and secrets related to the exercise of a profession. Information on the action taken related to the public report as well as any other responses to the report are also public, data of public interest accessible to anyone. Furthermore, the letter from the Secretary of State for Social Affairs and Social Inclusion of the EMMI, obtained during the investigation procedure, did not contain any facts / data the disclosure of which would have jeopardised the lawful functioning of EMMI or the performance of its tasks and competences without any undue external influence, such as in particular, the free expression of the standpoint of the organ which generated the data during the preliminary stages of its decision-making process. However, it contained findings that would be of widespread interest in the protection of the homeless. At the request of the NAIH, the EMMI informed the Authority that they provided the data requester with the requested ministerial response which was given to the recommendations of the Commissioner for Fundamental Rights made in its report No. AJB-

809/2018. (NAIH/2019/1626)

10. TAO supports (corporate tax allowance)

The Authority received several submissions concerning the area of statutory benefits (TAO supports) in accordance with Section 22/C of Act LXXXI of 1996 on corporate tax and dividend tax (hereinafter: TAO Act). TAO supports - as „diverted” tax revenue - are public funds and the data relating to their management are considered to be data of public interest [Article 39 (2) of the Fundamental Law; Curia decision Pfv.IV.21.175/2017/14; Curia decision Pfv.IV.21.135/2017/10.].

Pursuant to the legal provisions, business organizations providing TAO support do not pay a certain part of their corporate tax to the budget, thus the state waives tax revenue and indirectly redirects it under the control of the state or sports associations, in order to finance the goals set by the state. Data related to the use of TAO support refer to public funds, even if these amounts are not actually entered in the budget but are “diverted” in the direction set by the state. The public fund nature of TAO support is also confirmed by Paragraphs 20, 58, 65 and 82 of Commission Decision C (2011) 7287, which is mandatory under Article 288 of TFEU. Furthermore, the nature of the support is confirmed by the fact that if the supported organisation does not use the support or does not use it for the purpose for which the tax allowance is provided, it must be repaid not to the sponsor but to the state, pursuant to Section 14 (2) of the Government Decree 107/2011 (VI.30.).

In its judgment No. Pfv. IV. 21.175/2017, the Curia stated that the amendment of Act XCII of 2003 on the Rules of Taxation (hereinafter: Taxation Act), which entered into force on 24 October 2016, is not applicable to data generated before it, with regard to the constitutional principle of the prohibition of retroactive legislation. Accordingly, the reference to tax secrecy as a restriction to publicity cannot be accepted. According to the judgment of the Curia, the amount of support offered to a given beneficiary during this period is, specifically item by item, accessible. In the case of data generated after the amendment, pursuant to the Taxation Act currently in effect, both the taxpayer offering the support and the beneficiary may restrict access to the data by reference to tax secrecy. (On the 1st January 2018, Act CL of 2017 on the Order of Taxation entered into force, which contains the rules of tax secrecy in accordance with the above). However, the Authority urges that a legitimate interest test should be carried out in all cases, in a documentable manner, in order to prevent possible disputes. A detailed justification shall be provided as to whether, in the specific case, there is a greater public interest in the transparency of the use of public funds or in the confidentiality of data that may be considered tax secrets. Furthermore, the aspects on the basis of which the release of data would harm the business interests and privacy of the taxpayer or the beneficiary must be taken into account. The Authority draws the attention of data controllers to the fact that pursuant to Section 31 (2) of the Privacy Act, the data controller must prove the lawfulness of the refusal and the reasons for the refusal. It should be emphasized that the Taxation Act, in legal relationships under tax law, defines data as tax secrets in connection with the process of ‘offering’ support. If the access to data in the public interest is requested not for the purpose of obtaining data related to the taxpayers offering the support, but related to the use of the support, the request cannot be lawfully rejected by referring to tax secrecy.

11. Football academies

In one case of the Authority, the applicant complained that the Hungarian Football Federation (MLSZ) and the Investment, Technical Development, Sports Management and Public Procurement Ltd. (BMSK Ltd.) had violated his right to access data of public interest and data accessible on public interest grounds by failing to provide the sub-reports, to the submission of which the clubs concerned are obligated according to the grant agreements concluded for the development of the football or sports academies concerned. The MLSZ, as a national sports association performing tasks specified by law and exercising special rights, as well as BMSK, are considered to be bodies performing public duties, so the data processed and generated in connection with their activities are generally data of public interest and data accessible on public interest grounds.

The sports clubs concerned, as beneficiaries, have (partial) reporting obligations and are accountable to the MLSZ as a supporter, but the (partial) reports and accounts are received, controlled and kept by BMSK Zrt. on behalf of the MLSZ. Thus, MLSZ qualifies as a data controller, and BMSK Zrt. qualifies as a data processor mandated and managed by MLSZ.

As a result of the investigation, the Authority found that the MLSZ had violated the data applicant’s right to access data of public interest and data accessible in public interest grounds and requested the MLSZ to send the documents that are the subject of the data request to the data requester. Following the request of the Authority, the MLSZ made available (provided) all the accounting documents submitted to BMSK Zrt. with regard to four academies. However, with regard to the other five academies, MLSZ informed the Authority that it did not possess a closed, publishable partial report, as the audit of the partial reports was still ongoing, or the beneficiary did not submit the report or remedied its deficiencies despite the (repeated) notifications of BMSK Zrt. The investigation and assessment of this omission, however, does not fall within the scope of duties and competence of the Authority. (NAIH/2019/1111)

In another case, the applicant objected to EMMI’s rejection of a request to provide a copy of a football academy’s investment concept („the requested data underlies future decisions”). However, in the opinion of the Authority, the investment concept approved by the Government is not affected by these subsequent decisions, consequently the investment concept is not a data underlying a future decision, therefore the disclosure of this data of public interest cannot be restricted based on the Privacy Act. EMMI could have relied on the basis of the decision-making process only until the investment concept was completed, given that the final, approved form of the concept was the decision itself. The fact that the implementation of the investment is in progress after the approval of the concept, shall no longer restrict the disclosure of the data, unless the success of the implementation would be jeopardized by the release of the data. However, no circumstance to that effect has been revealed during the examination of the request for data. (NAIH/2019/4445)

12. Prison regulations

According to Act CXXX of 2010 on Legislation, the Director General of the Hungarian Prison Service Headquarters (BVOP) may regulate the organization, operation and activities of the bodies under its management, direction or supervision in a normative instruction, and these regulations shall be published, except for those containing classified data. In respect of this, the BVOP instructions are, as a general rule, available to anyone, and detainees are also entitled to know them. As their right to electronic administration is suspended during the execution of a custodial sentence, the detainees may also file a request for access to the BVOP instruction with the institution of the place of detention, or request from their contact person or legal representative to print and hand over the regulation.

By contrast, special instructions, circulars, and other internal regulations are regulatory tools of management tasks addressed to the staff of the organization, which can be issued for general, technical issues of the day-to-day activities of penitentiary institutions, if not regulated by law or public regulatory instrument and the issuance of a public regulatory instrument is not mandatory. All BVOP instructions (except those containing classified information) are available in various legislation database and on the website of the Hungarian Prison Service. Special instructions, circulars and other internal regulatory instruments are not considered to be public regulatory instruments thus, their publication is not obligatory. Accordingly, the BVOP is entitled to decide whether it wishes to publish them. As the publication of BVOP special instructions may pose a security risk to the operation of the prison service, in order to prevent large numbers of prohibited objects from entering and to prevent corruption offenses, the BVOP has decided to strengthen its security measures in all areas, to review the special instructions already published and if necessary, amend and no longer publish its special instructions. (NAIH/2019/4389)

13. Environmental information

According to its importance, the Authority treats environmental information as “privileged” data of public interest, as without access to environmental information, citizens cannot properly exercise their rights to a healthy environment enshrined in the Fundamental Law. It is therefore important to emphasize that pursuant to Act LIII of 1995 on the General Rules of Environmental Protection (Environmental Protection Act), data related to environmental impact, environmental hazard and environmental endangerment must be provided not only by organizations performing public duties or managing public funds, but also by all organizations and companies.

In 2019, the Authority examined a number of cases related to environmental information where it was necessary to draw the attention of organs performing public duties to broadest possible interpretation of the concept of environmental information, as supported by the Implementation Guide to the Aarhus Convention (promulgated by Act LXXXI of 2001), as well as the case law of the Convention Compliance Committee and the European Court of Justice.

In one case, the request to access noise measurement data was not fulfilled because the data had not yet been evaluated. It is possible that the evaluation and validation of the raw data leads to a different result from the original data, but the raw data is also environmental information^{^[1]}, and when disclosing such data, the data requester shall be informed about the lack of processing. (NAIH/2019/5627)

In another case, the local government did not make the air pollution test report ordered from the National Meteorological Service available to local government representatives because ‘no far-reaching conclusions can be drawn from its findings’. The protocol stated that ‘the concentration of the highly carcinogenic benzo (a) pyrene exceeds the daily limit value for 4 days, reaching almost four times that on the most polluted day. […] However, it is necessary to take into account the fact that far-reaching conclusions should not be drawn from such a short measurement program, a reliable determination of the sources of pollution would require long-term measurement, possibly testing of additional components.’ The Authority emphasized that the data being able to draw conclusions from is not a requirement for the disclosure of data. (NAIH/2019/7779)

In cases where the controller is vested with discretionary powers, significant weight must be given to the public interest in disclosure of environmental information. We drew the attention of the local government of a city with county rights to this factor, when it did not want to publish a feasibility study and cost-benefit analysis containing environmental data. The feasibility study was prepared in connection with the invitation to tender of the Integrated Transport Development Operational Program ‘Development of Sustainable Urban Transport and Improvement of Suburban Rail Access in Less Developed Regions’ and clearly included environmental information, because measures and programs related to the environment, as well as activities and cost-effectiveness and other economic analyzes that are likely to have an impact on environmental elements and environmental impact, are also considered as such pursuant to Section 2 (e) of Government Decree 311/2005 (XII.25.) on the Rules of Public Access to Environmental Information.

A project that will determine the development of a city’s public transport for decades will have a significant impact on the environment of the people living in the city, the air quality and the level of noise. Important environmental information is whether environmental values are properly “priced in” and how the costs of environmental impact are incorporated into the cost-benefit analyses used to make decisions that affect the environment. Thus, the publicity of cost-benefit analyses and feasibility studies ensures the transparency of whether environmental costs and values have been taken into account when deciding on a project. In addition, the feasibility study contains a number of emission data, the disclosure of which is subject to even stricter rules than the general rules applicable to environmental information, prevailing over the interests of the protection of personal data, business secrets and tax secrets. (NAIH/2019/1016)

In another case related to emission values, a civil organisation of local residents requested access to an acoustic expert reports commissioned by a Budapest district mayor’s office. The mayor’s office rejected the data request, arguing that according to the clauses of the acoustic expert report they ‘constitute a business secret and intellectual property’, and they are subject to copyright, thus the publication of expert reports is subject to the consent of the authors. The Environmental Protection Act classifies the establishment of local noise protection rules among the environmental protection tasks of local governments, in the capital the district representative body may issue a decree on the establishment of local noise protection rules. The mayor’s office is obliged to analyse, assess the state of the environment in its area of competence and inform the public about it at least once a year. The office commissioned the preparation of acoustic expert reports, the purpose of the investigation was to examine the noise level in the streets of the district and to propose a plan of action to reduce noise. Based on the above, the acoustic expert reports are data of public interest, as they are processed by a body performing public duties, they were generated in connection with the performance of the public duties of this body and the expert reports were paid from public funds. Acoustic expert reports are considered to be data of public interest not only under the Privacy Act, but also according to the Environmental Protection Act. Section 12 (2) of the Environmental Protection Act states that ‘everyone has the right to have access to environmental information considered as data of public interest in accordance with specific legislation’. Section 2 (b) of Government Decree 311/2005 (XII. 25.) classifies information related to ‘environmental impact, including the direct or indirect release of noise into the environment’ as environmental information.

With regard to the copyright restriction, it should be noted that Act LXXVI of 1999 on Copyright does not restrict the right of access to works protected by copyright as data of public interest; Section 15/A. of the Act only allows for stricter procedural rules than those contained in the Privacy Act: ‘In order to protect the author’s personal rights, the body performing public duties shall be empowered to comply with any request for access to works protected by copyright as data of public interest or data accessible on public interest grounds, by allowing access - inside the time limit prescribed for compliance with the request - to review sections of the work that contain the data of public interest or data accessible on public interest grounds, instead of the form and means desired by the requesting party.

On the basis of the above, the Authority established that the controller violated the applicant’s right of access to data of public interest by not giving access to the parts of the acoustic expert report requested by the applicant concerning the measurement results and noise maps. Following the notification of the Authority, the mayor’s office fulfilled the data request. (NAIH/2019/2549)

The concept of “party” was the subject of the case, in which the complainant requested access to a decision on a final authorisation by the Environmental Protection Agency and to an opinion from a national park directorate on the decision (hereinafter: NP opinion) from a government office. The reason for the rejection of the data request was that the data requester does not qualify as a ‘party’ pursuant to Section 10 (1) of Act CL of 2016 on General Administrative Procedure. In its decisions, the Authority explained that the Administrative Procedure Act does not contain a restrictive provision on the disclosure of a specific set of data of public interest. The right to inspect documents specified in Section 33 of the Administrative Procedure Act shall not be confused with the right of access to data of public interest, as the restriction formulated therein does not apply to data of public interest. The publicity of the final decisions - the legal basis of which is stated in the Privacy Act – is, however, also highlighted in Section 33 (5) of the Administrative Procedure Act. Furthermore, the authorisation by the Environmental Protection Agency and the NP opinion contain environmental information.

In its judgment in Case C-321/96 (Mecklenburg judgment), the European Court of Justice stated that any act which adversely affects or protects the situation of an environmental sector, is considered as environmental information. It is not necessary for this act to be a decision closing the procedure. Accordingly, the (intermediate) decision of the the Environmental Protection Agency is environmental information, provided that it affects the decision approving the construction plans. The public interest in the publicity of an authorisation by the Environmental Protection Agency for a specially protected natural area and the opinion of the national park taking into account the values of the area, as well as in the transparency of the procedure is paramount, therefore the Authority repeatedly ordered the government office to comply with the data request. (NAIH/2019/78)

It is important to note that a wide range of environmental information is handled by several bodies, making it difficult for citizens to find out which environmental information they can request from where. Therefore, bodies holding environmental information are particularly expected to fulfil their obligation of publication, with special regard to the publication of the list of environmental information [see Section 12 (3) of the Environmental Protection Act and Section 3 f) and Section 4 of Government Decree 311/2005 (XII. 25.)]. In the case of the air pollution test report described earlier, the Authority also ordered the local government to fulfil its obligations regarding the publication of environmental information. The local government complied with the Authority’s request and published the list of environmental information, as well as uploaded the air pollution investigation report to its website.

[1] See the findings of the Aarhus Convention Compliance Committee on communications

ACCC/C/2010/53

14. Publicity of the media and the Internet

According to the Organizational and Operational Rules of the Authority, the FOI Department is responsible for handling data protection cases where, in addition to the right to the protection of personal data, there are other fundamental rights related to the publicity of data (in particular fundamental rights related to the publicity of data of public interest or data accessible on public interest grounds as well as to freedom of the press and freedom of expression) co-existing or conflicting with each other. In 2019, the Authority issued reprimands to the data controller in two cases (without imposing a fine) in data protection authority procedure, in two cases the procedure was terminated and the other cases are still pending. Typically, online publicity (i.e. social media) is the scene of alleged violations. In this connection, the Authority would like to draw the attention to the fact that it is recommended to report the disputed content, pages, groups and profiles to the data controller (Facebook) in the first instance, furthermore, their deletion can also be requested here^{^[1]}.

In one of its decision , the Authority found that the mayor’s report on decisions taken in a closed session of the body of the representatives was unlawfully published on the website of the mayor’s office of a large municipality in such a way that the personal data of a former employee in a labour lawsuit with the municipality were not obscured. Furthermore, the data subject’s request for erasure was rejected on the grounds that the decision of the body of representatives taken in a closed session was public, and accordingly the mayor lawfully provided objective information on the decision of the closed session as a mandatory agenda item. In the present case, it had to be considered whether the legal proceedings initiated due to the termination of the employment of a civil servant are directly related to the activities and operation of the local government. The mere fact that the mayor’s office, as an organ performing public duties, is involved in a labour lawsuit with a former civil servant shall be considered data of public interest related to the office. Thus, the fact of a labour lawsuit may be disclosed without disclosing the identity of the former civil servant. Accordingly, the personal data of the data subject must be made unrecognisable, as suggested in the NAIH guide on the local governments referred to earlier.

In its other decision^{^[2]}, the Authority issued reprimands to the individuals who posted on Facebook a court judgment and a decision of the prosecution containing personal data of the complainants. Regarding the restriction of the visibility of the posts (to friends), the Authority noted that in this case the data processing cannot be considered as purely personal or household activity, as the files were not uploaded by the data subjects themselves, furthermore the data controllers have more than 1000 friends on the community site, who thus all had access to the documents. (NAIH/2019/69)

However, in another case, a municipality notary approached the Authority with the question of whether a court judgment involving the local government could be shared by the plaintiff on the Facebook community site. To ensure the publicity of court decisions, Act CLXI of 2011 on the organization and administration of the courts provides for the tasks related to the Register of Court Decisions, including the scope of decisions to be published, the procedural rules for publication and the protection of personal data. Section 166 (2) of this Act specifies that, unless otherwise provided for by law, in the decision published in the Register of Court Decisions it is not necessary to erase the following data:

the surname and forename or forenames (hereinafter referred to collectively as “name”) and position of a person performing governmental or local governmental tasks, or other public duties specified by law, if that person was participating in the proceedings in connection with performing his public duties, unless otherwise provided by law,
name of the attorney or bar association legal counsel acting as an agent, and the name of the defence counsel,
name of the natural person, who has been unsuccessful as a defendant, and the name and registered office of the legal person or entity without legal personality if the decision was adopted in a case in which a claim in the public interest can be enforced in accordance with the relevant legislation,
name and address of the association or foundation, and the name of its rep-resentative,
data accessible on public interest grounds.

The court judgment in the proceedings in question (initiated for unlawful termination of employment) contained the name and address of the plaintiff, the name, registered office of the law firm representing the plaintiff and the name of its lawyer, the name and registered office of the defendant (local government) and of the representative lawyer of the defendant as well as the name of the mayor of the municipality. With the exception of the data of the plaintiff, which was not obscured by its own decision, the data to be published are considered to be data of public interest and data accessible on public interest grounds pursuant to the Privacy Act, which data should not have been erased according to Act CLXI of 2011 even if the judgment had been published in the Register of Court Decisions. In view of the above, the Authority found that, from a data protection point of view, the publication of the judgment by the applicant cannot be objected to. (NAIH/2019/2631)

[1] Information on when and how to report something on the social network can be found in the FB Help Center by using „Rules and Reports” link, „Report Abuse” menu point, which can be accessed without registering or logging in.

[2] https://www.naih.hu/files/NAIH_2019_3114_hatarozat.pdf .

15. Search engines

Complaints about the rejection of requests to be removed from the Google Search results list are not subject to the one-stop-shop mechanism introduced by the GDPR, i.e. in such cases not the Irish data protection authority (as the supervisory authority of the main European establishment of Google) is competent to act, but the national data protection authority to which the complaint has been lodged.

The GDPR also provides for exceptions to the ‘right to be forgotten’:

if the processing is necessary for exercising the right of freedom of expression and information (freedom of information in the broadest sense)
the public interest justifies the need for data processing
there are private interests to be protected (i.e. the data processing is necessary for the establishment, exercise or defence of legal claims)

In 2019, the Authority also received a number of submissions in which complainants objected that Google had not deleted certain URLs from Google Search results despite their request.

In several cases, Google accepted the authority’s argument that there was in fact no public interest against the data subject’s right to erasure. The Authority also received a complaint in which the data subject complained that his name had been linked to a political party. Thus, he did not in fact seek to remove the indicated URL, but merely to have Google remove the expression linked to his name from the search engine. The Authority found that the removal of the link between the name of the data subject and the contested expression did not affected Google’s interests and did not restrict either the freedom of expression or the public’s right to information. At the Authority’s request, Google deleted the expression linked to the complainant’s name from the search engine. (NAIH/2019/7821)

Several data subjects, whose data are listed in the business register, complained that by entering their name in the google.com internet search engine, their name, mother’s name and address will be also available in the search results list. In the case, the Authority addressed a recommendation to the Minister of Justice to review the rules on access, dissemination and searchability of personal data accessible on public interest grounds, processed in the business register. In particular, access to Internet search engines and the enforcement of the principle of data minimisation is required at a level, which can proportionately ensure the original objectives of the business register, i.e. transparency and fairness of business, so that direct access to company data, including personal data, is differentiated, taking into account the requirements of necessity and proportionality. In 2019, the Ministry of Justice addressed the revision of the disclosure requirements for company information, however, the legislative changes described by the press, which would have made access to data contained in the company register subject to registration and payment of fees, were not realized. Thus, the Decree of the Ministry of Justice^{^[1]} complained of in the recommendation was not amended contrary to preliminary plans.

[1] Pursuant to Section 5 (3) of the IRM Decree 47/2007 (X. 20.) on free company information:

(3) The data referred to in paragraph 1 may also be accessed by means of Internet-based search engines. In this case, it is not necessary to use a name and password to access the data.

16. Identity of the data requester

The Authority has received several submissions for consultation aimed at clarifying the identity of the data requester:

‘Can an organ performing public duties be required to provide data on the basis of a request from which the identity of the applicant cannot be identified?

Which data is the minimum necessary to clearly identify an applicant?

Given that applicants never indicate the purpose of their request or their subsequent use of data, is the applicant required by law to indicate any purpose in his request?‘

The basic requirement of the Privacy Act, arising from the Fundamental Law, is that “anyone” may submit a request for access to data of public interest or data accessible on public interest grounds, without having an obligation to tell and / or justify his or her identity (or even in other respects). The category of anyone includes all natural and legal persons, or entities without legal personality. However, when an individual request for access to data is received by the organ via mail, and without any identifying information, the data request may not be fulfilled. The circumstances of each request for data must be examined on a case-by-case basis and, if the request can be fulfilled in another way, even by electronic means, that way shall be chosen. In summary, the data controller is not entitled to verify identity and cannot request a statement on either the purpose of the data request or on the motivation of the requester.

2018

Introduction

At the beginning of this chapter, we wish to mention several phenomena and developments related to FOI alongside the most important Constitutional Court rulings. In last year’s report we already pointed out that GDPR has influenced also FOI cases. The related provisions of the Privacy Act were left untouched by its 2018 amendment, yet there is an increasing number of cases, complaints, which belong in the ‘common set’ of the two informational rights. This is especially true of manifestations freely spreading on the internet. Insofar as the right to the protection of personal data and the fundamental right related to the publicity of data – the right of access to data of public interest and data accessible on public interest grounds – are enforced together or in conjunction, the possible collision of constitutional rights has to be resolved in one way or another. A decision has to be made as to the protection of which interest serves the public interest better, and as to which concrete provisions of law and principles of law the decision can be traced back to. In these cases, the data subjects, persons whose rights were infringed, are either public persons (who by their positions in local or national public life become shapers of public opinion, yet at the same time they feel their privacy and personal data are threatened by others) or, quite to the contrary, persons fulfilling public offices (e.g. mayors) who choose improper means of ‘exposing’ infringements and pillorying others.

At the end of 2018, several submissions were filed with the Authority in relation to the publication of image recordings of mass demonstrations and the activities there in social media or various press organs. At mass events, private persons, parliamentarians and non-press organizations may naturally making video recordings, and, though the provisions of the Act on the Press do not apply to them, they are subject to the provisions of the GDPR, the Privacy Act, and the Civil Code. The lawfulness of the non-personal use, data processing, of such recordings is conditional on meeting various requirements under law, most emphatically among them, the lawful purpose of data processing and the related determination of appropriate legal basis (NAIH/2018/7556/V, NAIH/2018/7547/V).

The NAIH assumed a more intensive international role on the other fundamental right area in 2018. The most significant achievement of this was the international symposium presenting ‘caselaw practices’ in Budapest between 26 and 27 November 2018, which was attended by the staff members of national institutions for the supervision of the accessibility of public sector information from eleven countries (South Africa, Morocco, Germany, United Kingdom, Albania, etc.). Sixteen presentations were the basis of discussion, outlining the powers available to supervisory organs, the means of enforcing rights through the courts, the systems of publication schemes, as well as the cases of collision with other constitutional rights.

For a uniform judicial application of law and the enhancement of legal security, the comprehensive opinion of the workgroup analysing court practice entitled ‘Lawsuits on providing access to data of public interest’ was published. Under the provision of law, the leaders and members of the workgroups were the judges of the Curia, but as an external expert NAIH was also invited. As a result of two years’ analysis, the comprehensive opinion included the analysis of the rulings sent by the courts to the Curia, separately discussing comments and suggestions on substantive and procedural law. For instance: judicial practice recognizes no extended interpretations in the case of references to bank and tax secrets, or when the requester of data access cannot define the scope of date requested with sufficient precision, as per the rulings studied, the courts proceed in good faith towards the requesters, the reason being that the subject matter of the lawsuits is precisely the lack of information.

2018 saw the start of the review of the Directive 2003/98/EC of the European Parliament and of the Council on the re-use of public sector information (hereinafter the ‘PSI Directive’). The public sphere produces an immense amount of data (e.g. meteorological data, digital maps, legislation, etc.), which are important resources of the digital economy. In its evaluation report, the Commission found that further measures are required in various areas; these include: the provision of real-time access to dynamic data via adequate technical means, increasing the supply of high-value public data for re-use, and tackling the emergence of new forms of exclusive arrangements and the use of exceptions to the principle of charging the marginal cost. NAIH also participated in forming the Hungarian position on the amendment of the PSI Directive – unfortunately, Hungarian preparedness with regard to open data had not been a success; though the Directive was transposed into Hungarian law, implementation has lagged behind.

1. Constitutional Court Practice

For references’ sake, the Constitutional Court adopted several major decisions on FOI:

Decision AB 3077/2017. (IV. 28) (list of lawsuits pending over four years). The Constitutional Court rejected the constitutional complaint, because the name of a legal-person party to a civil lawsuit (complainant or defend-

ant) does not constitute data of public interest, and therefore the controller (the court) shall not be obligated to provide access to the data.

Decision AB 3/2018 (IV. 20) (The transparency of grants to natural persons by the Hungarian National Bank): The concealment of the names of winners of competitions by foundations undoubtedly managing public funds and performing public functions can be traced back to an omission by the legislator, because the personal effect of Act CLXXXI of 2007 on the transparency of grants from public funds does not extend to data controllers, and thus no personal data shall be accessible authorization by law lacking.
Decision AB 3133/2018 (criteria of fulfilling wide-range data requests). The National Institute for Health Development rejected a request for documentation made during the examination to qualify a so-called psychoactive agent by reference to section 27 (5) of the Privacy Act. In its decision, the Curia highlighted that ‘in view of the very special nature of the data requested for access, the restriction of publication, otherwise exceptional, is justified. According to the Curia, there is a genuine possibility (danger) that a publicly open specialist debate on the given very sensitive issue would put the persons involved in formulating professional opinion under major pressure, and this could certainly jeopardize the lawful operational order of the organ performing public function – the defendant – the fulfilment of its duties and powers without undue external influence, and thus especially the free expression of its data-generating opinions in the course of preparing its decisions. The assessment of drugs – and psychotropic or psychoactive agents qualified the same – is such an exceptionally special area that can result in a collision with not only lawful interests; it must however also be taken into account that the results of the decision-preparing work is regularly manifest in public provisions of law, and the list of agents concerned is continually changed, increased, and transformed.’

The Constitutional Court rejected the constitutional complaint, and emphasized that the data request by the claimant actually meant information with no actual quantitative limit and precise definition of scope, and was included in documents preparing decision making, and therefore the judicial interpretation of law was justified in applying the rule of automatic non-disclosure for the full decision-preparing process covered by the data request.

Decision AB 3254/2018 (VII. 17) (the publicity of the foreign travels of a secretary of state): with respect to two concrete official trips by the state secretary for the Prime Minister’s Office, the requester for data access wanted to know, apart from the subject matter of the negotiations (which was disclosed as a data of public interest), the names of the negotiating parties.

The Constitutional Court rejected the constitutional complaint stating that these were personal data, the publication of which would require a concrete provision of law to qualify them as accessible on public interest grounds, not including sections 26 (2) and 27 (3a) of Privacy Act or when the data subject consents to the disclosure.

2. Local Public Affairs – Questions of Creating Wide-range Local-government Publicity

Section 2 of Act CLXXXIX of 2011 on local self-government in Hungary regards the actual and effectual realization of publicity as a condition of self-government. It is thus a primary aspect in self-government operation that the principle of wideranging publicity is enforced, and all members of the community respect it. In practice however, the relation of local governments to FOI is variegated. The offices of some communities approach data access requests on an up-to-date ‘fundamental rights’ basis, while many others are not fully prepared, and regard data requests by citizens as harassment.

In the course of its inquiries and consultations, the NAIH also seeks to assume the role of a mediator between the parties, and assists mayors, local representatives, notaries, administrators, and officers of local-government companies in their work in the proper interpretation of law. (A member of our staff held lectures on the issues of local-government publicity for those responsible for data protection at Government Offices as invited by the State Secretariat for Territorial Public Administration and at a conference of notaries organized by the Hajdú-Bihar

Government Office.)

2.1 Fulfilling Data Requests

It should be borne in mind that 2019 is going to see local government elections in Hungary, and the activities of local governments and the related public sector information will receive greater public attention, for which data controllers will have to prepare. An indispensable condition ensuring FOI is for heads of organs to review their resources, and prepare their organizations to meet the requirements of changed needs by reorganizing, rationalizing, and expanding them.

In the practice of law of the NAIH, the organs of the local representative bodies constitute a unit from the perspective of ensuring FOI; that is, they cannot be regarded as separate organs performing public duties, and may not refer to any grounds that local government data access requests (e.g. access to declarations of personal assets, data of European Union tenders) should have been filed not with them. If there are internal rules on fulfilling data requests, the requests should be forwarded without delay under internal procedures to the person responsible for assessing and fulfilling them. Apart from this, notaries have a prominent role in coordinating, professionally and lawfully fulfilling or justifiably and lawfully rejecting requests.

2.2 The Rights of Local Representatives

There is long-standing and particularly recurrent dilemma of interpretation with regard to local representative’s right of access to information, which can only be resolved by the interpretation of the Local Government and Privacy Acts and the GDPR in conjunction. The local representative has no independent scope of duties and competences, his ‘work as representative’ consists in the participation in the preparation of decisions in certain matters subject to the competence of the representative body and its committees, and the organization and monitoring of their implementation. If the representative wishes to practice not his right to access information as a representative under the Local-government Act but the right of access to data of public interest, the rules under the Privacy Act must be applied when fulfilling requests to access data, but, in this case, the representative has no further entitlements than any other citizen, and has no right to access tax secrets, data in social welfare records, the personal data of public officials, and the employees of local government companies, or any other protected information. With the exception that these data are qualified as data accessible on public interest grounds by special provisions of law, or a local government decree based on the authorization of an Act authorizes the representative to access a type of data in order to fulfil his duties as a representative, or the local government assigns him as a member of a committee or individually (e.g. as a counsellor) to plan, organize, or supervise a duty in the competence of the local government. Complying with the principles of purpose limitation and data minimisation, the representative may need to access personal data (types of data) listed by law.

2.3 The Data of Employees Accessible on Public Interest Grounds

The data of employees of local governments accessible on public interest was also a subject matter we often treated of. In respect of publicity, various categories of employment have to be differentiated with the proviso that the personal data of the person acting within the functions and powers of the organ performing public duties are also public when related to the fulfilment of the public duty, as several NAIH opinions, Constitutional Court decisions, and rulings by the Curia and the Budapest Court of Appeal unanimously point out (it is on this basis, upon assessing the given data request, that data concerning qualification or information about overtime work may be deemed as a personal data related to function and thus to be disclosed in spite of the fact that these are not listed by concrete law).

The widest circle consists of public officials. Under section 179 of the Act CXCIX of 2011 on Public Service Officials, the name, citizenship, the name of the public administration organ employer, the beginning of public service relationship, classification data, position, date of appointment to lead position, granting of title, and remuneration shall be data accessible on public interest grounds. It is important to note that the Privacy Act distinguishes between the accessibility of data, the dissemination of data and the publication of data; thus e.g. the proposals submitted to open sessions of local representative bodies containing personal data accessible on public interest grounds shall be published on internet websites for one year at most.

Under Act XXXIII of 1992 on Public-sector Employees, data of public-sector employees of local-government institutions accessible on public interest grounds shall be the name of the employer, the name of the public-sector employee, his or her position, and classification (i.e. no numeric data on remuneration).

The data of employees shall however not be data accessible on public interest grounds but personal data subject to protection. Employment contracts may be disclosed after anonymization (rendering unsuitable for personal identification), and employee data may be issued only in aggregated form, as statistical data. Under the Labour Code (Act I of 2012), the personal data of the employees of companies owned by local governments shall be transferred not even to local representative bodies, because, in terms of the continuance of the employment relationship, the representative body constitutes a third party. It is incorrect data processing practice to transfer the payroll with the data of employees included, in a way suitable for personal identification, in order to account for public subsidies. It must be noted however that section 2 of Act CXXII of 2009 on the More Economical Operation of Publicly Owned Enterprises, prescribes concrete data disclosure and internet publication obligations with regard to the officials of such companies.

2.4 The Transparency of Public Funds and Government Subsidies

Section 27 (3) of the Privacy Act provides for the transparency of publicly funded contracts of services and state subsidies, specifying local governments and ex lege qualifying data related to the budget, the use of European Union funds, and the managing of local government assets as data accessible on public interest grounds. Any other party (not the state) entering into such a contract shall be bound by the obligation to inform anyone thereof upon request. Data related to the names of beneficiaries of government subsidies, the place of implementation of the support programme, the allocation of public funds, management of public assets, and the denomination (type), subject matter, and names of parties to purchase, construction and service contracts worth HUF 5 million or more, and other data listed therein are accessible on public interest grounds, and must be published. In respect of the legal relations mentioned above, the names of natural persons qualify as data accessible on grounds of public interest. In the case of data qualifying as not relating to government subsidy, date on natural persons shall be protected (NAIH/2018/3091/2/V).

2.5 Declarations of Personal Assets

There is a continued interest in accessing declarations of the personal assets of mayors and local representatives. Under section 39 (3) of the Local Government Act, the declarations of the personal assets shall be recorded and controlled by a committee provided for under the organisational and operational regulations (committee for declarations of the personal assets). The declaration of the personal assets of the local-government representative, excluding the identification data submitted for control purposes, shall qualify as data accessible on public interest grounds; we must however call attention to the fact that dissemination of these data is subject to the principle of purpose limitation, and their publication on webpages is governed by special provisions. Currently, Annex 1 of the Privacy Act does not provide for the obligatory publication of the declarations of the personal assets of local representatives, but no provision forbids local governments from nevertheless publishing them under organ-specific publication schemes (NAIH/2018/4196/V, NAIH/2018/1256/V).

2.6 Local Governments and Digital Publicity

In the 21st century, wide-ranging publicity can be achieved digitally, by internet publication, in the most cost-efficient and citizen-friendly way (electronic FOI). The content and requirements of ‘locally customary mode of publication’ have definitively changed. Internet publication has come to parallel ‘analogue’ or customary modes of publication, such as billboards, gazettes, local television, etc., and will become almost exclusive in the coming decades. From the point of view of FOI, this the greatest challenge for local governments, which is corroborated by a significant number of submissions filed with the Authority.

In the framework of the programme entitled ‘Local-government Companies – The Audit of the Economic Management of Companies whose Majority Owners are Local Governments’, the State Audit Office notified the Authority several times on the deficient fulfilment of the electronic publication obligations of local governments and the companies they own, because the data of managing officials, supervisory board members, authorized signers, and employees entitled to disposal over bank accounts qualify as data accessible on public interest grounds under Act CXXII of 2009 on the More Economical Operation of Publicly Owned Enterprises. Without exception, all local government companies made up for the deficiencies in accordance with NAIH notices (NAIH/2018/1224/V, NAIH/2018/1394/V, NAIH/2018/1597/V, NAIH/2018/1644/V).

Local governments are not obliged to run websites, but they are obliged to publish their data of public interest under the Privacy Act in the way and place of their choice (kozadat.hu, kozadattar.hu). In the practice of the Authority, local governments operating webpages serve the information rights of citizens appropriately when they publish the data required by the Privacy Act to be published thereon. The publication scheme in Annex 1 of the Privacy Act, the Government Decree 305/2005 (XII. 25) and Decree 18/2005 (XII. 27) of the Ministry of Informatics and Telecommunications ‘assist’ the compilation of the content of the public sector information repository.

Several submissions have been filed with the Authority due to the deficiencies of publication schemes or the data protection infringements they give rise to. Citizens like to take an interest in the activities of local decision makers, and data requesters regularly ask for information about the minutes of the meetings, decrees, proposals, agendas of the local representative bodies, and the invitations to and minutes of their various committees if this information is not found on the websites of local governments. This applies to the data on local government management, local budget conditions, and the details of spending public funds at local disposal. A ‘popular’ subject is the costs of events organized by local governments, and the contracts concluded to implement them, and the revenues of local festivals (NAIH/2018/2124/V).

2.7 The Publicity and Live Coverage of Sessions of Local Representative Bodies

The publicity and live coverage of sessions of local representative bodies raise a number of practical questions. The invitations to, proposals, agendas, minutes, and resolutions of committee meetings of local representative bodies qualify as data to be disclosed. As a main rule, sessions of representative bodies are public, and anyone may participate at them. In Hungarian data protection practice, the local government or its agent provides live coverage – e.g. on the internet or local television; often audio recordings are made – of the sessions as per the local rules of organization and operation, but all those concerned have to be given prior notice thereof every time. (Notice may be made orally before the session or a notice displayed in a given space or on the webpage or social media site of the local television or the local government itself.) Those present at the sessions also have the right to provide live coverage or make audio or video recordings thereof subject to personality rights and the respect of human dignity. The publication of recordings of public sessions to inform the wider public is not unlawful, but, as stated above, personal data accessible on public interest grounds must not be disseminated in ways infringing the principles of purpose limitation and data minimization (NAIH/2018/6137/2/V).

Apart from those of closed sessions, citizens may access the proposals and minutes of local representative bodies. Resolutions passed at closed sessions of local representative bodies are also public, and shall be published electronically, on the internet, under the Privacy Act. Data of public interest and data accessible on public interest grounds must be given access to even in the case of closed sessions. In terms of FOI, this means that data of public interest does not lose its public quality because it is generated at a closed session, and, even in the case of decisions made on persons at closed sessions, account should be made of whether data, types of data, processed there are rendered accessible on public interest grounds by law or not. Otherwise such data must be protected from unlawful access and publication; thus, the wording of public resolutions must not refer to data relating to natural persons. In the case of a (justified) complaint, the subject of the complaint was that the former employer of the complainant, the mayor’s office of a community, had published the mayor’s briefs on decisions made at closed sessions of the local representative body the website whereby anyone could tell that the complainant was involved in litigation against his former employer (NAIH/2018/7429/2/V).

2.8 Social Media and Local Public Affairs

Communication and the provision of information increasingly take place on the internet, primarily social media, and it is small wonder that more and more communities and mayors have pages on the most popular social media provider (as well). The Authority received several complaints in this respect.

In one case, the Authority found that the name of the editor, administrator or moderator of the ‘official’ Facebook page of the town (mayor), qualifies as data accessible on public interest grounds under the Privacy Act, and it instructed the mayor’s office to send the requested data to the requester (NAIH/2018/7338/V). In another case, the mayor of a town published on his own Facebook page the letter of a local representative stating his resignation from being a representative. At the request of the writer of the letter, the letter was first removed from the Facebook page, and later posted again with redaction of the personal data of the former representative. The inquiry found that an elected local-government representative qualifies as person performing public duties, the resignation from being a local representative qualifies as a data of public interest, and the name of the representative qualifies as data accessible on grounds of public interest, but the personal identification data (place and date of birth, mother’s name) are personal data always to be redacted.

The mayor of a community published photos of persons misusing the waste collection sites of the community on his own Facebook page. In the opinion of the Authority, the mayor would have proceeded lawfully by turning primarily to the organ competent to investigate criminal offences and infractions in order to identify the persons on the pictures (NAIH/2018/2866/5/V).

3. The Act on Administrative Procedure vs. the Privacy Act, or Public Sector Information in Public A...

In 2018, several complaints were filed with the NAIH where requesters sought to access the documentation of on-going administrative procedures (typically documents concerning tender procedures for the entitlement to provide local radio media services). In the opinion of the organ performing public duties, Act CL of 2016 on the Code of General Administrative Procedure (hereinafter: ‘the Administrative Code’) and Act CLXXXV of 2010 on Media Services and Mass Communication (hereinafter: ‘the Media Act’) govern as lege specialis the accessibility and publicity of data of administrative procedures (procedure documents and decisions made therein), and thus section 27 (2) g) of the Privacy Act is applicable (‘The right to access data of public interest or data accessible on public interest grounds may be restricted by an Act, with the specific type of data indicated, if considered necessary for the purposes of court proceedings or administrative procedures’).

The interpretation and answering of questions related to the procedural and file access rules of the Administrative Code fall within the competence of the Authority only to the extent that they concern the two informational fundamental rights, but all possibilities of restricting the fundamental right of access to information must always be interpreted strictly (moreover the tendering stage of radio frequency allocation were completed in these cases). The fact in itself that the requested data of public interest are being used in an administrative procedure does not strip them of their quality of being data of public interest. The restriction of publicity in view of an administrative procedure can only be assessed in a concrete case. The NAIH has no competence to take a position on whether the data requester qualifies as a party or generally a third party to the administrative procedure commenced under the Administrative Code that formed the basis of the complaint. At every phase of the procedure, the party may access the files created in the course of the procedure, and he is entitled to do so even though he had not been party to the procedure earlier. Not being a party, the requester must appropriately substantiate his right to access a file containing personal data – in the event of the requester failing to do so or being unsuccessful in doing so, the organ preforming public duties proceeds lawfully, in the opinion of the NAIH, if it dismisses the request to access the file.

A third party may only access files containing personal data or protected data if he provides proof that becoming familiar with the data is necessary for the assertion of his right or for the performance of his obligation imposed by law, a court decision or a final decision by an authority. Again, the Administrative Code therefore only specifies the types of data that can be accessed under certain conditions. In the opinion of the NAIH, this section does not include any restriction with regard to data of public interest or data accessible on public interest grounds; interpreted, the provision only prescribes the redaction of personal and protected data.

On the other hand, access to the decision that has come into effect, in the opinion of the Authority, must not be denied from the complainant on grounds that the person of the party could be deduced from a summary of the decision (even though personal data have been redacted from it).

Under the Media Act, the procedures applied for tenders announced concerning the rights to provide linear media services using state-owned limited resources shall be governed by the provisions of the Administrative Code in conjunction with those of the Media Act, the Media Council shall thus provide information on the data included in tender offers only after the conclusion of the contract. In this respect, completed and on-going administrative procedures must be distinguished. If anyone wishes to have access to the files of a completed administrative procedure, this should be fulfilled as a main rule in the opinion of the NAIH.

In the opinion of the Authority, the restriction under section 27 (2) g) of the Privacy Act does not apply to completed procedures. It should also be noted that both the Administrative Code and the Media Act provide for restrictions concerning personal and classified data, but neither law prescribes the anonymization of data of public interest or data accessible on public interest grounds. In the complaint cases submitted to the Authority, it achieved the appropriate fulfilment of all access requests (NAIH/2018/291/V, NAIH/2018/819/V, NAIH/2018/1646/V).

4. Rules of the Reimbursement of Costs Regarding Data Requests – Recent developments

In last year’s report, we detailed the basic rules of reimbursing costs on the basis of Government Decree 301/2016 (IX. 30) on the Costs of Disclosure of Information (hereinafter: ’the Decree’). The experience of the last year is essentially the same, but the Authority issued its position on some new, untypical instances, with a view to the fact that the bodies performing public duties do not provide services when fulfilling requests for data of public interest, but comply with their obligations arising from the fundamental right enshrined in the Fundamental Law.

In 2018 most of the FOI cases consisted in complaints objecting to the legal basis of charging fees and/or disputing the amounts charged (39 in number). Ministries (Ministries of Finance, Agriculture, and Human Resources), local governments, companies owned by state or local governments, and public institutions were among the data controllers. The amounts determined showed a great variety; sums of a few 10 thousand forints were most usual, but there were charges running up to several hundred thousand, even million forints. (Hungarian State Treasury: HUF 5,414,856; Hungarian Rugby Alliance: HUF 1,972,666; Szeged Open-air Non-profit Ltd.: HUF 891,540 + VAT). The highest amount, HUF 11,482,540, was determined by the Police Headquarters of Budapest District IX, in a way not detailing the elements of costs to either the data requester or the Authority. (In this case, we turned to the National Police Captain.)

The efficiency and success of the NAIH as supervisory organ is proven by the fact that a significant proportion of the cases closed resulted in the data controller fulfilling data requests without charging fees or reducing the fees based on miscalculation and returning the fees that had been paid. This was the result of our inquiries of e.g. the Hungarian Rugby Alliance, the Ministry of Agriculture, the Budapest Police Headquarters, the Radioactive Waste Management Public Benefit Non-profit Ltd., Barcika Park Non-profit Ltd., and Budaörs Local Government. At the same however, it is true that several inquiries commenced last year were still unclosed at the time of drafting the report, as the positions did not come nearer even after several exchanges of correspondence.

It should be emphasized in this regard that charging fees is not obligatory. It is always for the given organ performing public duties to decide whether it wants to make use of this opportunity or not. If it does, it may only charge the actual costs of the data media used, delivery, and labour lawfully; no other element of cost may be taken into account.

Most problems occurred due to the reimbursement of the workforce necessary for fulfilling data requests, particularly because this element constituted the largest proportion of the fees charged to data requesters.

Fulfilling a data request necessarily involves certain amount workforce allocation – this is an institutional concomitant of the fundamental right to access data of public interest. According to the Decree, the cost of workforce may cover the time necessary for the identification, collection, and arrangement of the requested data, the time for the duplication, and the time necessary for the anonymization of data that may not be accessible. If this period exceeds four working hours, this cost element should be calculated in the following way: the working hours of the correspondent must be multiplied by the actual labour costs per hour of work (according to the Decree, this amount may not exceed 4400 HUF). Other contributions, bonuses, rewards and other benefits, such as fringe benefits cannot be taken into account. Importantly, fees must correspond to actual costs incurred, which might even be less than the amounts defined in the Decree.

In the consistently held opinion of the NAIH, the fulfilment of requests for data of public interest is not subject to VAT. This is undergirded by the opinion ‘Tax question no. 2016/25 on determining fees to be charged for requests for data of public interest within the VAT system’, issued by the competent department of the Ministry for National Economy in 2016.

Additional work costs needed may be taken into account in determining the fee chargeable when, at the organ performing public duties,

the workforce needed for its ordinary operation
is required disproportionately, and
the period of using the workforce exceeds four working hours.

Accordingly, the period of disproportionate use of the workforce depends not on the fact that it exceeds four working hours. The three conditions mentioned must be met together.

On the basis of the criteria developed by the NAIH, during inquiries we asked, if necessary, what the number of staff was at the organ performing public duties, what functions the staff involved in fulfilling data requests held, what was the relationship between the functions of the staff involved in fulfilling data requests and the basic activity of the organ performing public duties, and what basic activities the fulfilment of data requests obstructed the organ from performing. We request the opinion of the data controller on why it considers that there is a disproportionate use of its workforce. We also take into account the technical infrastructure available to the organ (e.g. how many printers and scanners the organ has, and how long these were used for fulfilling the data request).

It is a question whether the data requested by the data requester are available in the form he requested. If not, what was the estimated workforce the production of the form he wished (the migration of existing data into processable Excel tables, etc.). It is not only the volume of data that counts but also the mode of accessing them (e.g. archived data).

It is also to be examined whether the data requested appear in the general Publication Scheme of Annex 1 of the Privacy Act; that is, whether the data are those that should have been published electronically by the organ. In the case of such data, no cost claim should have arisen in the first place, as the data request can be fulfilled by giving the precise internet link of the data under the Privacy Act.

The NAIH may ask what the ways of arranging the data into databases are (e.g. by manual selection or simple filtering in a digitized document). This fact has a significant effect on assessing whether there was a disproportionate use of the workforce or no.

In the case of workforce allocation, the NAIH requested data controllers to provide reports of how many staff and work hours they took into account, and what sums they calculated for each person in a given a position, and it also requested demonstration of what work processes were/are required by fulfilling data requests, and of how complex a duty it was/is to fulfil such requests (e.g. how many organisational units were/are needed to perform it).

If the justification of charging a fee had been the substantial size of the document, the NAIH took into account the size of the documents needed to be researched, systemized or copied for fulfilling the request.

If the data request is fulfilled electronically, the time required for making a copy may only be taken into account when

the data required is not available in electronic form, or
the time needed to make the copy is shorter than the time required to find the electronically available files.

In examining the cases of cost reimbursement, we seek to call the attention of data controllers to cost efficient ways of fulfilling data requests. In a concrete case e.g., the given organ had neither human resources nor technical means to provide the great amount of data requested, the NAIH, as mediator, successfully proposed that access to data should be ensured by way of enabling inspection, taking notes and photos (NAIH/2018/436/V).

According to the interpretation of law by the NAIH, if an organ performing public duties wishes to apply Section 29 (4) of the Privacy Act (i.e. to make the fulfilling of the data request subject to prior payment of a fee), it is obliged to notify the requesting party within 15 days of the receipt of the request. If the given organ exceeds this deadline, it may not charge a fee beyond it. No doubt, however, the provision is not clear as to whether the fifteen-day deadline for providing information on charging fees has an effect of absolute loss of rights. This deficiency of law has featured in several cases, and its resolution has been unequivocal to neither the courts nor the NAIH. For, the data controller organ performing public duties, when, on the basis of its position in the legal issue, rejects to fulfil the data request – by reference to e.g. its not being a data controller with regard to the data requested or the data not being of public interest/accessible on public interest grounds – , has obviously not made a decision on charging costs. Charging a fee is connected to providing data of public interest, and it is related to the legal determination of the decision as a kind of additional matter. In order to orient legal practice, the NAIH took the position that, should the NAIH or the proceeding court, at the conclusion of the legal dispute, find that the legal position of the data controller had been wrong, and thus the requested data was to be disclosed, the 15-day deadline for determining the fee is recommenced as of receiving the notification on the administrative decision. The issue of interpretation and application of law mentioned can be satisfactorily be resolved by legislation. The NAIH notified the Curia of its position.

The Authority wishes to emphasize that the 15-day deadline for providing information under section 29 (4) of the Privacy Act is independent of the fact that the given organ has extended the time for fulfilment or not. The obligation to provide information applies in this case not to the extension of time for fulfilment.

Finally, the requirement of transparency in respect of reimbursing costs should also be emphasized. Transparency is served by appropriate information primarily. The more detailed the information, the more efficient it is. Unfortunately, we continue to receive information of malpractice in great numbers: e.g. ‘with regard to the fulfilment of the data request, fees shall be charged’, ‘the cost of the data request shall be HUF x’, from which no factual and legal justification of the determination can be discerned. The NAIH therefore requires, as a minimum, a breakdown of elements of cost, a report, in the case of additional allocation of workforce, on the number of staff and work hours and the hourly breakdown of sums per employee involved that were taken into account. Both remedy and NAIH inquiry procedures are facilitated if the data controller details the work processes required for fulfilling data requests. When substantial amounts of copying are needed, the provision of information has to detail this, e.g. the quantity of documents needed for fulfilling data requests. The requester must be notified of the possibilities fulfilling data requests without copying. In this regard, we must mention the practice of the Ministry of Finance that it does not provide information on cost elements of charging costs even when data requesters expressly apply for it, though, in the opinion of the NAIH, this is information which the ministry should have provided when determining the fee.

On its website, the NAIH published a Notice (’Tájékoztató’) providing useful information on charging fees: http://www.naih.hu/files/ Infoszab_tajekoztato_2018_06_30.pdf.

5. Higher-education Publication and Publicity Issues

In its legal practice, the NAIH has consistently held that state-owned higher-education institutions are always organs performing public duties, while non-stateowned higher-education institutions are obliged to demonstrate the fulfilment of data requests before the public with regard to managing public funds and publication under special provisions of law. This is based on the annual financing agreement with the Government under Government Decree 389/2016 (XII. 2) on financing the basic activities of higher-education institutions, the list of which the NAIH requested from the competent ministry (NAIH/2015/6179/V, NAIH/2018/2301/V).

Copyright rules apply with regard to the content publicly funded university publications (section 27 (2) h) of the Privacy Act). As a result, the main rule is that as long as the author of a manuscript does not publish a university manuscript (either a diploma thesis or any other scholarly treatise and paper), the rules of free use do not apply, the work is subject to copyright protection, and it is only its author that is entitled decide on its publication. However, works produced in the framework of an employment relationship are subject to other rules. If producing the work is a duty resulting from such employment, the handover of the completed work qualifies as consent to its publication. In the event of the author’s statement on revoking the work, the employer shall omit indicating the name of the author. Indicating the name of the author must also be omitted when the employer exercising its rights arising from the employment relation changes the text without the agreement of the author.

Diploma theses, dissertations, and other original intellectual products by students made during their enrolment are subject to different assessment. In the lack of a different agreement thereto, the contents of the works in the possession of the university library may be displayed on the computers placed in the university library for the scholarly research and study purposes of the students and visitors of the library and may be made accessible to the public if the said persons study the contents of the works not for purposes of generating income, because it would constrain students’ learning, research, and professional development if scholarly works in the present or future possession of the university library were not accessible and readable at least locally, for a readership in the university library as broad as possible. The rules of free use apply to university publications with authorial consent.

With regard to university publications publicly funded, the question of the further use or reuse of publicly funded open-source research data likewise arises. Under section 3 (1) e) of Act LXIII of 2012 on the Reuse of Public Sector Information, public sector information managed by institutes of education and research, schools, universities, archives, libraries, and research institutes and organisations set up to forward research findings may not be released for re-use, and no law shall provide that they may be defined as public sector information obligatory to be made available or as cultural public sector information. As per currently effective Hungarian law, the public sector information processed by universities constitute an exemption from rules on reuse.

It should be noted however that the open access to scientific publications is a topical question that has been on the agenda in the European Union for several years. The European Commission and the competent Commissioner have spoken up for open access in their press releases.

Many university teachers continue to have difficulties in reconciling themselves with the teacher data sheets on the website MarkMyProfessor (www.markmyprofessor), objecting to the comments on teachers, the content and style of these assessments. Our position is unchanged, the running of the higher education system is the duty of the state, thus all higher education institutions recognized by the state – regardless of their maintainers – are institutions performing public duties, and the teachers and employees performing duties related to education qualify as persons performing public duties and assuming a kind of scientific public role. In view of the fact that the purpose of the database on the website is to provide information to students about the level of the teaching provided by the given teacher and the current requirements, the name of the teacher may be given in relation to the teaching activity as per the original purpose insofar as she or he is on the staff of the institution. (The operator of the website is obliged to delete the data sheets of those teachers who, when no longer employed as teachers, request so from the data controller.)

Persons performing public duties (just like those in public life) have to tolerate more in terms of the negative assessments made of them and criticisms of their professional activities, which, however, may not entail any disrespect of human dignity. The operator of the website shall be liable thereof.

6. Environmental Information

Providing the public with access to environmental information is indispensable for ensuring the right to a healthy environment. The lack of such information can obstruct the public in taking part in decisions on the environment. Fortunately, the legal basis of access to such information is severally ensured; apart from the Privacy Act, section 12 (2) of Act LIII of 1995 on the General Rules of Environmental Protection lays down that information on the environment constitute data of public interest; moreover, section 4 (1) Act LXXXI of 2001 promulgating the Aarhus Convention obligates public authorities to ‘to provide public access to the requested environmental information in the framework of national law’.

The law provides for exceptions to publicity, such as e.g. in view of the confidentiality of administrative procedures and the protection of personal data, but the exemptions ‘are to be interpreted narrowly, taking into account the public interest in revealing the information’.

Government Decree 311/2005 (XII. 25) on the Rules of Public Access to Environmental Information determines what data qualify as environmental data (e.g. data concerning the condition of the elements of the environment, environmental burden, measures related to the environment, and environment protection measures).

Several complaints were filed with the Authority on this subject matter, especially with respect to tree felling licences. The sudden disappearance of trees that have become parts of street imagery can become emotional issues.

Apart from these, complaints were submitted on the plans for the management of the high-water bed of the Danube, the construction project at Városliget (’City Woods’), the community transport development of a town, the amount of waste delivered at a waste site, the documentation of an administrative procedure on smell effects, and the noise pollution and operation of a battery factory.

In spite of the wide range of information involved in the requests dismissed, certain similarities can be observed in the justifications data controllers gave for their dismissals.

The Aarhus Convention provides for the dismissal of a limited few cases of environmental information requests, but the exceptions are to be interpreted strictly taking into account the public interest in revealing information. One possible justification of dismissal may be a request to access the internal communication of public authorities. The implementation guide to the convention^{^[1]} states: ‘Opinions or statements expressed by public authorities acting as statutory consultees during a decision-making process cannot be considered as “internal communications”. […] Moreover, once particular information has been disclosed by the public authority to a third party, it cannot be claimed to be an “internal communication”.’

Though legally wrong, the reasoning that the data requester is not a party to the procedure where the decision was made often occurs. On the basis of the argument stated with regard to the provisions of the Administrative Code above, the entitlements of a party do not touch access to final administrative decisions adopted.

Another similar dismissal justification is the limitation of publicity of data grounding decision making. These decisions have to be made with circumspect deliberation and to be justified according to criteria laid down by the Constitutional Court in several decisions – data controllers nonetheless failing to abide in several cases. Data controllers failed to appropriately justify their holding back from the public the local-government opinion concerning the he high-water bed of the Danube and the World Heritage impact study made for the UNESCO World Heritage Committee; we thus established the infringement of the right to access data of public interest in these cases (NAIH/2018/7054/2/V).

Finally, it should be noted than whenever an organ performing public duties has the right of discretion with regard to access to data of public interest, we always call its attention to the fact that access to environmental data is indispensable for ensuring the right to a healthy environment.

[1] The Aarhus Convention: An Implementation Guide: http://www.unece.org/index.php?id=35869

7. Other Cases in the Limelight

In 2018 several questions, submissions for consultation or complaints were filed with the NAIH, the subjects of which were the publicity of general charges of corruption. In these cases – as in the so-called Elios case –, the Authority is obliged to contact the competent prosecution and crime prevention organ because the restriction of publicity under section 27 (2) c) of the Privacy Act must be respected by all actors. According to the statement of the Public Prosecutor’s Office, the full publication of the findings of the OLAF report on the cases in question would certainly hinder the interests of the investigation the criminal offences; this procedure-law constraint cannot be lifted until the conclusion of the investigation. (Note: as, according to the reports in the press, the Hungarian Government is removing the invoices of the public lighting projects implemented by Elios from the final invoice package to be submitted to the European Commission, the report has no relevance with regard to the publicity of data of public interest.) (NAIH/2018/1208/V, NAIH/2018/1221/V, NAIH/2018/1606/V, NAIH/2018/1824/V).

The Hungarian Football Federation requested an opinion on whether the referee and referee controller funds qualify as data of public interest. In accordance with the provisions of the Privacy Act, Act I of 2004 on Sports, and the Charter, the organisational and operational regulations of the Football Federation, and its regulation effective of 1 July 2018 and entitled ‘Football competition rules for fullsize and decreased pitches’, in the course of this activity, the Football Federation qualifies as an organ performing public duties, and thus the names, the duties of the referees and referee controllers proceeding in the scope of the duties and competence of the Football Federation, and their other personal data related to their exercising its public duties – except for the personal data to be protected – are data accessible on public interest grounds. On the other hand, disclosure of the names of the referees and referee controllers a day before the championship event is appropriate practice, whereby the Football Federation causes no significant harm to the given referee or referee controller, fulfils the obligation to provide information appropriately, and also efficiently protects the outcome of matches from unfair influence (e.g. the bribery of referees) (NAIH/2018/5631/V).

A requester of data wanted to access information – primarily business information – about chicken-pox vaccine from the Ministry of Human Resources. The Ministry qualified the data as decision-preparing data, and referred to the fact that the business interests of the company producing the vaccine would be harmed if competitors were be able to know the precise of price at which it offered the product to the health system. The Authority found the argument to be substantiated, and accepted it (NAIH/2018/3256/V).

A complainant parent objected to the recognizable appearance of his minor daughter in the cover picture of a political article on the Hungarian Scouts Association. In the course of the inquiry, it turned out that the article in question was illustrated by a picture downloaded from the MTI (MTVA) Fotóbank (’Photobank’), and was used with content that differed from the original dispatch. Upon our notice, the illustrative picture was deleted; it was found that no media took over the article, and the internet search engines (Google, Bing) were notified to delete the content indexed earlier, and to index the new article with the new content.

With regard to the fact that most scouts are minors, the personal data of whom are to be protected under the GDPR, it is important that the children and their legal representatives be properly informed of data processing issues. The Scouts Association informed the Authority that, it calls the attention of participants at its public events, notices at registration and venues that video, photo and voice recordings are made of the event where the participating person might be recognized. The Authority suggested, apart from this, to include the general notice in its organisational and operational rules (NAIH/2018/4601/V).

8. The Google Search Engine

The Authority sent letters of request to Google in several cases in 2018. These were directed at mapping actual practice, but there was also an instant where the Authority required, on account of the changes in the legal environment (Article 24 of the GDPR), that the data controller change its former position. We asked Google what the basis on which it ranks search results is, how the search algorithm works, what the criteria of ranking are, what measures it has introduced to comply with the provisions of the GDPR.

The following links provide further information:

https://transparencyreport.google.com/eu-privacy/overview

https://policies.google.com/privacy?hl=hu

https://privacy.google.com/your-data.html

https://support.google.com/transparencyreport/answer/7347822/?hl=hu

In on concrete case, a complainant, a highly respected person, objected that the Google search result list included URL-s containing information about the complainant’s deceased spouse and family life that are damaging and contemptuous. Google had dismissed the request earlier on grounds of public interest, but, upon the Authority’s notice, it removed the links pointing to the contemptuous articles.

It should be noted here that deletion from the search list merely cancels the route of access, but the information continues to be available on the website. Should the data subject wish to have the full deletion of the data, she or he should turn to the operator of the website requesting the deletion of the data.

2017

1. Introduction

2017 was fundamentally geared towards the preparation of the General Data Protection Regulation for both public bodies and the Authority. However, compliance with the new data protection rules did not mean that the other informational right, the freedom of information, was relegated to the background. On the contrary, the Authority paid more attention to the right to access and disseminate data of public interest and data public on grounds of public interest, and to raising awareness of obligations related to the freedom of information.

As in previous years, the Authority focused on the publicity of data on the management and use of public funds and national assets. Public funds and national assets must be managed according to the principles of transparency and the purity of public life. For the realization of the values and goals enshrined in the Fundamental Law, the existence and enforcement of the freedom of information is indispensable.

In 2017, the Authority expanded and developed its practice in the application of the rules of the reimbursement of costs regarding requests for data of public interest. 2017 was the first year in which the relevant regulations were already in force throughout the whole year. The public bodies applied the rules of charging fees in ways that led to infringement of law on several occasions. In each case, the Authority not only tried to consider facts and circumstances relevant to the particular case, but also to provide general guidance to the bodies and persons concerned.

Finally, it should be emphasized that the Authority continued to play an active role in fulfilling the state responsibilities in the prevention of corruption. In addition, the Authority actively participated at international and European forums on freedom of information. These conferences were primarily aimed at fostering closer international cooperation and the harmonization of different national practices.

2. Transparency of the Use of National Assets and Public Funds

It is a fundamental social requirement for the community of citizens to control the use of public funds and national assets. The supervision of the management of these assets is also supported by—apart from constitutional control mechanisms, the procedures of the State Audit Office, the Government Control Office and the investigating authorities—the enforcement of the freedom of information. The ability of the press, NGOs, and members of society to access and disseminate data of public interest and data public on grounds of public interest is at all times one of the most important values and goals of the democratic rule of law.

The current legal environment, in the spirit of the Fundamental Law and its National Avowal, provides also for fairness in public life, the control of responsible management of the national assets and as its prerequisite, public scrutiny. Accordingly, the provisions of Act CXCVI of 2011 on National Assets (hereinafter ‘National Assets Act’), Act CVI of 2007 CVI on State Assets (hereinafter ‘State Assets Act’), and the guiding rules of the Privacy Act are designed to enforce the principles of transparency, accountability and the purity of public life. The publicity of the use of public funds and national assets is supervised first and foremost by the NAIH.

In 2017 also, the Authority examined the transparency of the use of public funds and national assets in a number of cases. In the course of its investigations, the NAIH started out from the often-quoted provision of the Fundamental Law: ‘Every organization managing public funds shall be obliged to publicly account for its management of public funds. Public funds and national assets shall be managed according to the principles of transparency and the purity of public life. Data relating to public funds and national assets shall be data of public interest’ (Article 39 (2)).

This constitutional requirement also covers the traceability and transparency of public finance management and the public accountability of the transfer of national assets. Article 39 (2) of the Fundamental Law, in fact, constitutes one of the most important limits of the exercise of public authority and the use of public funds. First, it ensures their public control by declaring it the fundamental right of individuals; second, it clarifies and supplements this by declaring information on the use of public funds as data of public interest; and, third, it makes transparency the constitutional obligation of bodies managing public funds.

The essential purpose of national assets is to provide for the performance of public service duties, ^{^[1]} and national assets are to be managed responsibly and properly. The task of national asset management is primarily to run the state and local governments in order to perform public service duties and meet the prevailing needs of society in a transparent, efficient and cost-saving way that is consistent with the existing potential of the state and local governments and based on unified principles; to protect the value and condition of state and local-government property, to use it to increase its value, to utilize it profitably, enlarge it, and also to sell those elements of it that are rendered superfluous for the performance of the state or local-government duties. National assets, their value and changes, are registered by the exerciser of ownership rights. Registering the value may be dispensed with if the value of the given property cannot be determined by nature.^{^[2]} Registration shall also include the designation of the primary-purpose public service duty of the asset. The data registered, with the exception of classified information, shall be public.

In addition, the NAIH also took into account that the Constitutional Court, in Decision 25/2014 (VII.22.) AB, bindingly confirmed that bodies and persons managing or disposing of public assets qualify as bodies with public service functions under the Privacy Act.^{^[3]} Data on the management and disposal of state assets that are not data of public interest shall be deemed as data public on grounds of public interest.^{^[4]} The Constitutional Court therefore clearly confirmed that the requirement of transparency generally extends to bodies and persons managing public assets, further strengthening the transparency and controllability of the operation of public funds and state assets.

By way of summary, it can be stated that the current legal environment focuses not only on the fact that a body or person actually fulfils a public service duty as defined by law but also on the fact of disposal and management of national assets. Thus the Fundamental Law and the laws detailing its provisions doubly ensure the transparency of the management of public funds. On the one hand, the Fundamental Law itself provides for standards of data of public interest and data public on grounds of public interest. Since this is the basis of the Hungarian legal system, it can be stated that the transparency of the management of public funds is ensured at the highest, constitutional level. On the other hand, taking also into account the rules of the National Assets Act and State Assets Act, the provisions of the Privacy Act on the accessibility of data of public interest and data public on grounds of public interest must be applied in this regard.

1) In one case, the NAIH received a consultation submission requesting the Authority to deliver its opinion whether the salaries and other benefits of the employees of the Pallas Athéné Foundations and of the company they established are to be considered as public information.^{^[5]}

In its opinion, NAIH first of all considered whether the Pallas Athena Foundations and the company it established qualify as entities with public services functions. In this respect, the Authority took into account that, under Article 162 (2) of Act CXXXIX of 2013 on the Magyar Nemzeti Bank (hereinafter ‘the National Bank Act’), the Hungarian National Bank, in line with its tasks and primary objective, may establish a business association in which it has a majority holding or may create a foundation. In its Decision no. 8/2016 (IV.6) AB, the Constitutional Court explained in this respect that: ‘When the state-owned National Bank creates a business association or a foundation, the sources of the assets it contributes to their establishment or operation (starting capital and support later provided) are necessarily public funds.’^{^[6]}

In the reasons of that decision, the Constitutional Court found that ‘the companies established by the National

Bank, in which it is a majority or exclusive shareholder, i.e. it controls them, as well as the foundations the

National Bank establishes, manage public funds, and are consequently—as per Section 39 (2) of the Fundamental Law—obliged to ensure the publicity of data in respect of the data of public interest and data public on grounds of public interest they process in accordance with Article VI (2) of the Fundamental Law and the appropriate prescriptions of applicable laws’.^{^[7]} Both the Pallas Athéné Foundations and the company they created qualify as bodies with public services functions under the provisions of the Privacy Act.

As a next step, the NAIH examined whether the wages and other benefits of these employees employed under

Act I of 2012 on the Labour Code were data public on grounds of public interest in accordance with the Privacy Act and other legislation. In this respect, the Authority emphasized that there is certain group of data where publicity must be enforced relating to the employees of the foundations and company as persons exercising the duties and powers of a body with public services functions. The employees concerned are those whose activities are among the duties of the body with public services functions as defined by law. In their case, it is primarily the information listed in Section 26 (2) of the Privacy Act that can be accessible to anyone: the name, scope of responsibilities, scope of work, and executive mandate of the employees.

In addition to the range of data mentioned above, other personal data of the employees related to the performance of the public service duty may also be deemed to be data public on grounds of public interest pursuant to Article 26 (2) of the Privacy Act. As the use of public funds is at stake, transparency and controllability—being public interest—is of paramount importance. For this reason, the wages paid to the employees concerned, as well as their regular, ad hoc, cash and in-kind benefits, such as holiday rebates, bonuses, substitution fees, earning allowances, and target bonuses, qualify as personal data arising in connection with the performance of the public service duty, which anyone can access.

At the same time, the freedom of information and the right to informational self-determination must be enforced with mutual respect to each other; thus defining the range of other personal data relating to performing public service duty must take into account whether their publicity does not disproportionately violate privacy rights.

According to the NAIH's practice in this regard, the information under Section 26 (2) of the Privacy Act concerning those employees whose activities are not directly related to the performance public service functions of the authority may not be accessible. This includes, inter alia, employees who do not take part in decision making, neither in the preparatory nor in decision-making stage. Examples include drivers, cleaning staff, etc.

In another case, the complainant requested the NAIH to investigate an application for disclosure of data of public interest not fulfilled by Magyar Villamos Művek Zrt (MVM).^{^[8]} The purpose of the request was to obtain copies of the documents relating to the granting of assistance to the Civil Összefogás Közhasznú Alapítvány (Civic Union Public Benefit Foundation; CÖKA). MVM refused to fulfil the data request, stating that: ‘the support was covered not from public funds but from its own resources’, and thus information about it was not subject to Article 26 (1) of the Privacy Act.

In the course of the investigation, the NAIH found—from publicly available company data—that MVM's sole shareholder is the Hungarian State, which exercises its shareholder's rights through the Hungarian National Asset Management Inc. Pursuant to the relevant provisions of the National Assets Act and the State Assets Act, the MVM constitutes national and state assets. Consequently, the MVM qualifies as a body with public service functions, which is obliged to enforce the right of access to data of public interest and data public on grounds of public interest.

The NAIH also stated in its opinion that MVM manages public funds, therefore information on its management, the use of the funds it manages, constitute data of public interest under Article 3 (5) of the Privacy Act and Section 39 (2) of the Fundamental Law. By denying to fulfil the request to access data, MVM therefore violated the fundamental constitutional right of the data requester to access data of public interest.

NAIH delivered a similar opinion following an investigation concerning the unlawful denial of a request for disclosing data of public interest by Antenna Hungária Zrt.^{^[9]} In this case, the company claimed in response to NAIH's first warning that revenue from its own market activity did not fall within the concept of public funds, and also denied its being a body with public services functions.

In its opinion, therefore, the Authority called the attention of the company to the fact that several factors justify why publicly owned companies qualify as bodies with public service functions. On the one hand, these entities perform a wide range of public or municipal activities and tasks. The laws themselves name the specific companies that carry out prominent public service duties. On the other hand, the financial and other assets available to the companies owned by the state or local government constitute state or national assets.^{^[10]} These companies make decisions on them, their management, and use. Now, pursuant to Section 7 (1) of the National Assets Act, the fundamental function of national assets is exclusively to ensure the fulfilment of public service duties. Under Section 5 (2) of State Assets Act, bodies managing public funds qualify as bodies with public service functions. Limiting the group of the entities solely to those defined in the formerly effective annex of the State Assets Act would therefore amount to emptying out the regulation, and consequently lead to an unconstitutional restriction of the fundamental right to freedom of information.

It follows from the foregoing that a company owned by the state or a local government ‘is obliged to ensure access to the data of public interest [and data public on grounds of public interest] it processes as a body with public service functions in accordance with provisions of law’.^{^[11]} Now, under Section 3 (5) of the Privacy Act, the data of public interest includes all information relating to the activity of the body with public service functions, or arises in relation to the performance of a public service duty, ‘in particular data concerning the scope of authority, competence, organizational structure, professional activities and the evaluation of such activities covering various aspects thereof, the type of data held and the regulations governing operations, as well as data concerning financial management and concluded contracts’. However, the relevant legislation does not include any exception for the ‘management’ of a body with public service functions, and this includes funds from either the state and local governments or market sources. The procedure of Antenna Hungária Zrt thus continued to fail to comply with the fundamental constitutional right of access to data of public interest.

In another case, the NAIH investigated the request for data of public interest that was not performed by Bp2017 Nonprofit Kft.^{^[12]} In doing so, the Authority emphasized that the company as a body disposing with national assets was not to have denied the request for data on certain contracts it had entered into under Section 27 (3) and (3a) of the Privacy Act, even on grounds that some of the data contained therein cannot be disclosed. According to the so-called data principle, data subject to disclosure restriction in the document must be rendered unrecognizable, while the information that can be disclosed shall be supplied in a readily intelligible form and by way of the technical means asked for by the requesting party.^{^[13]} The NAIH therefore found that Bp2017 Nonprofit Kft. violated the relevant provisions of the Privacy Act.
The NAIH also examined the question concerning the publicity of the annex to the contract for modernizing public lighting disclosed on www.gyal.hu. The mayor's office of Gyál only partially fulfilled the request for data provision, because, in its view, the disclosure would have affected business information. During the course of the proceedings, the NAIH reviewed the documents (more than 350 pages) requested to be accessed and the information contained therein in detail. It then found that the disclosure of the data contained in certain parts of the documents—with the exception of (personal) data public on grounds of public interest pursuant to law (chamber and company registration)—may be lawfully restricted on grounds of legitimate business interest under Section 2:47 of Act V of 2013 on the Civil Code and Section 27 (3) of the Privacy Act. However, access to the information not specified in the opinion cannot cause disproportionate damage to business activity, and should therefore have been made available to the requester of the data, which it was made following the investigation.
The NAIH also investigated the Heves Megyei Vállalkozás- és Területfejlesztési Alapítvány (Heves County Foundation for Enterprise and Regional Development, hereinafter ‘the Foundation’) for denying a request for data of public interest that, in its view, would have harmed the personal interests of its clients due to a confidentiality agreement.^{^[14]} The Authority found during its proceedings that the founders of the Foundation included the Local Government of Heves County, the Local Government of Eger County, the City of Hatvan, and the Hungarian Foundation for Enterprise Promotion. For this reason—and in view of the rules governing the transparency of national assets management—the NAIH deemed it unacceptable for the body with public service functions to conclude a confidentiality agreement with its clients in order to limit the disclosure of data of public interest and data public on grounds of public interest process. It is thus closely linked to the transparent and accountable operation of the Foundation, a body managing public funds, to disclose the data in all the detail the requester asked for.
The NAIH also investigated whether the monthly allowance given to Shane Tusup, Olympic champion Katinka

Hosszú's trainer, by the Magyar Edzők Társasága (‘Hungarian Coaches Society’, MET) in the framework of the Special Coaches Programme qualified as data public on grounds of public interest.

In the course of its proceedings, the Authority found that the financial source for the operation and financing of the

Programme was provided by the appropriation for the development of priority sports in the Act on the Central Budget of Hungary. Consequently, the funds managed by the Programme qualify as public funds, and thus constitute data of public interest within the meaning of the Fundamental Law.^{^[15]} Under effective legal provisions, on the other hand, a natural person who establishes a financial or business relationship with a person subject to a subsystem of general government finances is obliged to provide information to any person on the data public on grounds of public interest arising from that relationship.^{^[16]} This includes, inter alia, Shane Tusup’s share of the sum under the subsidy contract concluded between the Ministry of Human Resources and the MET.

Finally, the NAIH took into account the fact that the salary paid to Shane Tusup under the employment contract with MET qualifies as data public on grounds of public interest pursuant to the Privacy Act.^{^[17]} If it is not possible to know what kind of benefits the professionals participating in the Programme are entitled to, the control of the use of public funds provided for by the Fundamental Law is not ensured.

[1] Section 7 of the National Assets Act.

[2] Section 10 (1) of the National Assets Act.

[3] Section 5 (2) of the State Assets Act.

[4] Section 5 (1) of the State Assets Act.

[5] Case no. NAIH/2017/871/V.

[6] Reasons (19) of Decision no. 8/2016 (IV.6) AB.

[7] Reasons (29) of Decision no. 8/2016 (IV.6) AB.

[8] Case no. NAIH/2017/4100/V.

[9] Case no. NAIH/2017/5250/V.

[10] Reason (22) of Constitutional Court Decision no. 8/2016. (IV. 6.) AB.

[11] Reason (46) of Constitutional Court Decision no. 25/2014. (VII. 22.) AB.]

[12] Case no. NAIH/2017/2725/V.

[13] Section 31 (1)–(2) of the Privacy Act.

[14] Case no. NAIH/2017/1368/V.

[15] Section 39 (2) of the Fundamental Law.

[16] Section 27 (3) and (3a) of the Privacy Act.

[17] Section 26 (2) of the Privacy Act.

3. Rules of the Reimbursement of Costs Regarding Data Requests

Since the amendment of the Privacy Act, which came into effect on 1 October 2015, bodies with public services functions had the opportunity—in certain defined cases—to charge a fee for fulfilling data requests. The Government adopted Decree 301/2016 (IX. 30) on the Costs of Disclosure of Information (hereinafter: ’the Decree’), which came into force on 15 October 2016. The experience gained during its practical implementation in the more than a year-long period after its coming into force and the guidance issued by the Authority can be summarized as follows.

It should be noted first that with regard to the rules of the Privacy Act, charging a fee is not obligatory, but left to the discretion of the body concerned. It is therefore always up to the given body with public service functions to decide whether it wishes to exercise this right or not. If the body wishes to charge a fee, it has the opportunity to do so in the case of those requests that were filed after the Decree had come into force and under its provisions. The NAIH examined several data requests that had been submitted prior to the Decree coming into force. In fulfilling these requests, the bodies with public services functions might charge fees for costs in accordance with the principles and rules laid down by the practice of the NAIH. In several instances, the NAIH called the attention of public duty bodies that they could decide to omit reimbursement.

Fulfilling a data request does necessarily involve certain amount of workforce allocation—this is an institutional concomitant of the fundamental right of access to data of public interest. The measure that might be established under the Decree also does not mean that the data controller can enforce it in all cases, because the fees must correspond to real costs; thus if the fees are lower than the amount defined by the Decree, the data controller must take the actual cost into account.

On the other hand, it should be noted that, the fulfilment of requests regarding data of public interest is still not subject to VAT, because, according to Section 2 of Act CXXVII of 2007 on Value Added Tax (hereinafter ’the VAT Act’), the scope of the Act covers the supply of goods and services for consideration within the domestic territory by a taxable person acting as such, the intra-Community acquisition of goods for consideration within the domestic territory, and the importation of goods. Under Section 5 (1) of the VAT Act, a ‘taxable person’ shall mean any person or organization having the capacity to perform legal acts who (that), in its own name, carries out in any place any economic activity, whatever the purpose or results of that activity. According to Section 6 (1) of the VAT Act, ‘economic activity’ shall mean any business activity carried out independently on a regular or continuing basis for the purposes of obtaining income, or that results in the obtainment of income.

In accordance with the Privacy Act, the Decree provides for three cost elements in determining the fee chargeable. During performance, only the cost of the data storage device, of the delivery, and of the workforce needed may be taken into account. No other cost elements may be charged.

In the course of implementing the Privacy Act, most of the problems arose due to the reimbursement of the workforce necessary for fulfilling requests for data, particularly in the light of the fact that the largest part of the fees to be paid by data requesters was the cost element in most of the cases.

According to the Decree, cost of workforce may cover the time necessary for the identification, collection, and arrangement of the requested data, the time for the duplication, and the time necessary for the anonymization of data that may not be accessible. If this period exceeds four working hours, this cost element should be calculated in the following way: the working hours of the correspondent must be multiplied by the actual labour costs per hour of work (according to the Decree, this amount may not exceed HUF 4,400). Other contributions, bonuses, rewards and other benefits, such as fringe benefits cannot be taken into account.

According to Section 29 (5) point c) of the Privacy Act, if the fulfilment of a request for data requires a disproportionate use of the workforce needed for the ordinary operation of the body, the additional work costs needed may be taken into account in determining the fee chargeable. In other words, additional work costs may be taken into account when the public body:

the workforce needed for its ordinary operation,
is required disproportionately, and

the period of using the workforce exceeds four working hours.

Accordingly, the period of disproportionate use of the workforce depends not only on the fact that it exceeds four working hours. The three conditions mentioned must be met together.

In 2017, the NAIH developed the criteria and methodological principles that were used to examine what constitutes disproportionate use of the workforce when determining the rate of reimbursement. The NAIH considered information such as the number of people working in the public body, the position of the staff participating in fulfilling the data request, and relationship of the position of the staff involved in fulfilling the data request to the ordinary operation of the body, and which basic activity the body could or could not perform due to fulfilling data request. During the investigations, the NAIH asked why the bodies thought the workforce required to fulfil the data request was disproportionate, and that the data the requester wanted to access was of substantial size. The NAIH also took into account the technical conditions at the disposal of the public body (for example, the number of printers and scanners available in the institution, and how long they were used to fulfil the data request). Naturally, it was also necessary to examine whether the data requested was available in the desired format. The NAIH investigation also covered whether the requested data was included the Standard Disclosure List in Annex 1 of the Privacy Act, i.e. data the public body should have already made electronically accessible.

Section 29 (4) of the Privacy Act states that, if the fulfilment of the data request means a disproportionate use of the workforce of the public body needed for its ordinary operation, or the document or part of a document of which the copy had been requested is substantial in size and/or volume, and the reimbursement amount exceeds the amount defined by the Decree, the copy shall be provided within fifteen days from the date of payment of the fee. The requesting party shall be informed within fifteen days of filing the request that the fulfilment of the data request means a disproportionate use of the workforce of the public body needed for its ordinary operation, that the document or part of a document of which the copy was requested is substantial in size and/or volume, and also of the reimbursement amount and the alternate solution available instead of making a copy.

In the opinion of the Authority, the cost of data requests may be advanced in two cases:

If the fulfilment of the request for information entails a disproportionate use of the workforce necessary to perform the basic tasks of the public body, and the reimbursement amount exceeds the amount specified in the Decree;
If the document or part of the document of which a copy was requested is substantial in size, and the amount of reimbursement exceeds the amount specified in the Decree (HUF 5,000).

Consequently, the two conditions mentioned must be met together. An additional condition for the advance payment of the costs of data requests is that the data controller informs the requesting party about the fact, reason and the amount of the reimbursement fee within 15 days of receiving the request. In this regard, the NAIH is of the opinion that, if a public body wishes to apply Section 29 (4), i.e. to make the fulfilling of the data request subject to prior payment of the fee, it is obliged to notify the requesting party within 15 days of receipt of the request. In all cases where the body exceeded the above deadline, the NAIH ordered the data controller to fulfil the data request without charging a fee.

In order to orient the relevant practice, it is also important to note that Section 29 (2) of the Privacy Act provides also for extending the deadline for fulfilling data requests. The legislator regulated the extension of the deadline for fulfilment and the payment of the fee so that the public bodies can, at their discretion, rely on one or another law, or both at the same time. The conditions for the cases under Section 29 (2) and (4) of the Privacy Act essentially correspond to each other. It can therefore be concluded that the fifteen-day deadline for providing information under Section 29 (4) of the Privacy Act must be complied with, regardless of whether or not the body extended the deadline for fulfilment or not. In this case, the obligation to provide information is not linked to the extension of time for fulfilment.

If the data request is fulfilled electronically, the time required for making a copy in accordance with the Decree may only be taken into account when the data required is not available in electronic form, or the time needed to make the copy is shorter than the time required to provide the electronically available data. That is, in the case of data required in electronic form, the duration of using the workforce may only be taken into account if:

the data is not available in electronic form (it must be scanned), or
scanning/copying would be faster than searching for an electronic file.

The NAIH continues to hold that the bodies with public services functions do not provide services when fulfilling requests for information of public interest, but comply with their obligations arising from the fundamental right enshrined in the Fundamental Law. Moreover, it is not on a commercial basis that these bodies sell copies of documents, but they have the opportunity to request the data requester to reimburse material costs.

Finally, the NAIH emphasizes that the proper enforcement of the freedom of information requires the transparency of the procedure for determining reimbursement. Transparency is best served by the institution of providing information on reimbursement for the fulfilment of requests for data public interest. Under the Privacy Act, the bodies with public services functions must communicate the amount of reimbursement to the requesting party in advance. Section 29 (3) of the Privacy Act uses the term ‘amount’, while Section 29 (4) provides for the ‘measure’ of reimbursement. However, simply communicating the amount can give rise to abuse. For a communication on the amount does not in itself enable the determination of whether the fee was charged lawfully. The Authority therefore set down additional minimum requirements for providing information. In the interest of the freedom of information as a fundamental right, information on fees charged for costs of fulfilling a request for data must be sufficiently detailed; the bodies with public services functions must therein state any reason or cost element that justifies the amount charged. Appropriate information greatly contributes to making the requesting party truly understand and be aware of why he or she should pay for receiving the data requested. Based on the information, the requesting party will also be able to make the appropriate decision regarding the remedies available. According to the NAIH, the provision of information is sufficiently detailed if it contains the factual and legal justification of the fees charged. If additional workforce is used, the number of employees and the number of hours accounted, as well as the sum broken down to hourly work per employee must be shown. Both recourse to legal remedies and the NAIH proceedings are made easier if the data controller describes the work processes that were/would be necessitated for fulfilling a data request. When a copy of significant size is required, the provision of information must give details, such as the amount of paper the data request involves. Lastly, the data requester must be informed of alternate solutions available instead of making copies.

Determining costs requires preliminary calculations. This means that the entity with public services functions may request the data requester to reimburse the costs established on the basis of an estimate made prior to fulfilment, who is obliged to pay it if he or she continues to request the data after being informed thereof. However, cost reimbursement must always be limited to the cost directly and actually incurred in providing the data. Thus, it must be borne in mind that there may be a difference between the costs actually incurred and those previously calculated. In the light of the above, the public body must also carry out a subsequent cost calculation in order to determine the exact amount of the costs actually incurred. The requester must be informed of the result, the supporting calculations, certificates, working time statements, and other documents. No provision of the Privacy Act or the Decree allows the charging of additional costs incurred above the costs calculated previously. In other words, the data requester may not be subsequently charged with the difference due to an underestimation of costs. However, pursuant to the Decree, if the pre-paid reimbursement exceeds the sum of costs actually incurred, the difference is to be refunded to the data requester. It is important to substantiate the costs incurred in connection with the data request by means of documents also because, in a possible dispute, the data controller is responsible for demonstrating the exact cost elements.

The NAIH is confident that the time passed since the entry into force of the Decree has proved sufficient for law enforcement bodies to acquire sufficient experience in fulfilling requests for data of public interest, and to establish a well-defined procedural framework for fully complying with the rules of the Privacy Act and the Decree.

4. The NAIH’s Activities Related to the Prevention of Corruption

The NAIH represented itself at several home and international professional or scientific conferences, lectures, and workshops. At these, it highlighted the importance of the freedom of information and transparency in the prevention, suppression, prosecution of corruption. In addition, the NAIH called the attention of the professional and lay public to the outstanding role and context of the issue.

In close cooperation with a member of National Protective Service, the NAIH organized a conference for the local governments of towns with a population over 15,000 on 26 February on the freedom of information. The lectures delivered here focussed on access to data of public interest and data public on grounds of public interest, as well as the practical issues of electronic disclosure. The two organizations continue to shape the programme and topics of discussion of future conferences on the basis experiences gained during prior cooperation.

4.1. Participation at International Forums on the Promotion of the Freedom of Information

During 2017, the NAIH represented itself at two international forums aiming to approximate and coordinate national and international institutions specialized in overseeing the freedom of information.

The NAIH, attended the conference of European Commissioners for Freedom of Information held in Berlin between 23 and 24 February 2017. The participants at the event organized by the German Federal Data Protection and Information Commissioner presented their national experiences of the fundamental right to freedom of information, and gained insights into the relevant practices of other states. In addition to the exchange of experiences, specific issues were also discussed. At the close of the conference, the European Data Protection Supervisors adopted a resolution calling on national parliaments and governments to strengthen the role of the freedom of information and of the national institutions supervising it.^{^[1]} Freedom of information and transparency are an essential element of a freely and democratically functioning legal system.

NAIH also actively participated at the 10th International Conference on Freedom of Information Commissioners in Manchester between the 20 and 21 September 2017. More than a hundred participants from different parts of the world were able to discuss national and international experiences of the freedom of information. In the resolution of the conference, the participants emphasized and considered the strengthening of the transparency of performance of public and local government services provided by outsourced contractors and public procurement in the future.^{^[2]}

The participants at these forums repeatedly expressed the need to deepen cooperation at European and international level, with the aim, first and foremost, of establishing common standards. The NAIH therefore expresses the hope that such future events will expand the opportunities of cooperation. These may ultimately lead to the creation of regional or global standards, as in the regulation of data protection, in the field of the freedom of information.

[1] http://naih.hu/files/EU_Infoszab_bizt_nyil_2017-02-24.pdf

[2] http://naih.hu/files/2017-09-28-Infoszab_biztosok_hatarozata.pdf

2016

1. Bodies with public service functions

Since the Privacy Act contains no exact definition for public service function it can only be determined in relation to an individual case, taking into account all the circumstances. However, the concept should be broadly understood thus a wide range of activities is included.

The features determining a body with public service functions are wide. It may mean functions when the body or individual performs state or local government duties, as well as other public tasks defined by legislation. It also covers the management of national asset with the consequences that state or local governmentowned companies cannot exclude themselves with reasoning that they are not bodies with public service functions as set out in legislations.

Decision 6/2016 (III. 11.) AB (Constitutional Court) concludes that in terms of freedom of information, all that matters is that the body processes public information, and therefore – in order to enforce the right of access to public information – has an obligation to comply with the data request. This is a general obligation and as such shall not be restricted with the limitation of the circle of the addressed bodies as it would limit the right of access to public information.

In one case, NAIH investigated the company called Erzsébet Üzemeltető Kft. (hereinafter: Company) which has refused to disclose information upon the argumentations that the Company is not processing data of public interest or data public on grounds of public interest and does not fall within the scope of the Privacy Act. According to the content of the Hungarian business register, the Authority found that the Company is owned by HUNGUEST Vagyonkezelő Zrt., a private limited company, and more than 50% of voting rights belong to Magyar Nemzeti Üdülési Alapítvány (Hungarian National Recreational Foundation), which was set up to operate within the framework of a governmental program the property complex for providing holidays and recreational camps primarily for socially disadvantaged children. Therefore the Company is to be considered as a body with public service functions and has to provide information on contracts aimed to operate recreational camps with a contractual worth of more than 5 million HUF.

In another case, the definitions of data controller and data processor have been investigated in terms of FOI. The Cabinet Office of the Prime Minister refused to provide information on the accepted concept of the differentiated organization of human public services. The Cabinet Office referred to the relevant governmental decree, which entrusts the Minister of Human Capacities with the development of the concept and thus the Cabinet Office identified itself as no data controller of the concept in question. In view of Decision 6/2016. (III. 11.) AB (Constitutional Court), NAIH found that the above argumentation is false, denying to be a data controller is also not applicable therefore the Cabinet is obliged to provide information on the concept mentioned in the decree.

NAIH also investigated the Hungarian Court Bailiffs’ Chamber as a body with public service functions. The Chamber refused to provide information on contracts worth at least 5 million HUF with the reasoning that the Chamber does not manage public funds, therefore the information in connection with the contracts do not qualify as public information. Moreover, disclosing the data would cause disproportionate difficulties for the Chamber. NAIH found that according to Act LIII of 1994 on Court Bailiff and in view of the Privacy Act the Chamber is a body with public service functions and therefore it must comply with Sections 26-30 of Privacy Act. Furthermore, the difficulty of providing public information is not a legitimate ground for refusal, but only a factor affecting the method and costs of disclosing public data.

In connection with the fully state-owned Nemzeti Eszközgazdálkodási Zrt. (hereinafter: Company) exercising ownership rights on state assets NAIH found that it is a body with public service functions and all the information in connection with its wealth management is considered to be public. Therefore information on the contract regarding the public procurement for due diligence of Adriatiq Island Group shall be made accessible to anyone with a claim access to these information. The data controller has violated the requesting party’s right to access to data of public interest or data public on grounds of public interest when it refused to provide information on this contract.

NAIH reached the same conclusion regarding a company owned exclusively by a municipality. According to the provisions of the Fundamental Law, the Privacy Act, Act CVI of 2007 on State Property and Act CXCVI of 2011 on National Property the municipality owned company qualify as a body with public service functions and therefore is obliged to provide information to a request on data of public interest regarding the use of public money.

In 2016, NAIH received many submissions dealing with the sessions of the national student union, in particular with the publicity of the minutes of the union’s meetings, of the Senates’ meetings and also of the disclosure of the union’s officials’ personal data.

A specific case focused on the publicity of the minutes of the National Conference of the National Student Union (hereinafter: HÖOK). According to Act CCIV of 2011 on National Higher Education HÖOK represents the students on national level. HÖOK is considered to be a legal entity represented by its president. Its legal functioning is supervised by the public prosecution and its accountancy obligations are similar to other entities. The main function of this body is to represent the students on a national level within the democratic system of the higher education, which shall be inevitably considered as a public service function. This interpretation is supported by the fact that the member organizations of HÖOK are sui generis considered as bodies with public service functions, whereas their active participation in the functioning of the organization further strengthens its public body function. The final conclusion of NAIH was that the HÖOK carries out tasks associated with the democratic functioning of the higher education therefore HÖOK is a body with public service functions and as such is obliged to perform its duties deriving from the Privacy Act.

2. Personal data public on grounds of public interest

In 2016 NAIH received numerous submissions regarding the access to personal data of persons undertaking public duties. The most frequent questions were about wages, regular bonuses and asset declarations of these persons.

Request for disclosing information (including on the procedure, on the conditions and on the persons making the decisions) about wage bonuses received between 2010-2016 by the permanent secretaries of State and deputy secretaries of State working at the Cabinet Office of the Prime Minister was refused by the Cabinet Office. NAIH found that this issue is linked with the use of public funds therefore the principles of transparency and verifiability shall be strictly respected. However the conflict between the right of informational self-determination and on freedom of information has to be balanced.

A balancing test shall examine whether the right to privacy shall not be disproportionally violated when disclosing personal data in connection with performing public duties. Typical categories of such data are personal allowances (both natural and pecuniary) given to higher ranked officials e.g. board-wages, premiums, replacement remuneration, wage allowances. These wages are considered as personal data connected with the performance of public duties and thus available for the public. However, the benefits assigned on a social or necessity basis e.g. housing, family or social supports belong typically to the private sphere of the beneficiary – who might happen to be a public servant supported by his employer (in this case a public organ). Therefore, in this latter fall the names should not be disclosed automatically but only with the consent of the data subject.

Section 26 (2) of the Privacy Act defines each personal data public which is linked to the official responsibilities of the individual performing state or local government responsibilities. This includes the amount of wages and bonuses of state secretaries, the name of the decision-making person and every factor orienting the decision on these benefits. Therefore the Cabinet Office has violated the requesting party’s right to access to data of public interest when it refused to provide information on the above subject.

The same conclusion was reached regarding conditions of payment and reimbursement of travel expenses (including the financial support of local transport passes) granted for a notary of a local government. Concluding the investigation, NAIH found that the category of “data on allowance” need to be interpreted broadly, as it shall include all the emoluments and benefits regarding the civil service relationship. The publicity of these data can help – among other things – the realization of the principle of equal treatment when it comes to salary and other benefits.

Therefore any allowance received by the municipal notary are public data. When the major of the local government – as the employer of the notary – refused to provide information on the requested data, the requesting party’s right to access to data of public interest or data public on grounds of public interest has been violated.

In relation to the publicity of asset declarations NAIH found the violation of the Privacy Act when the requester was allowed to submit his/her request for access to public information only in writing or when he/she was able to access the information only in person, that is to say by means of a personal appearance. It also violates FOI when the citizen is not able get a copy of the asset declaration of a municipal government council member. The asset declarations of the mayor and the representatives of local governments are data of public interest, which must be made available to anyone in accordance with the relevant legal provisions.

In another case, NAIH also emphasized that the rules on FOI set out in Privacy Act are applicable to the data contained in the asset declarations of national minority municipality representatives. However, Act CLXXIX of 2011 on the Rights of National Minorities declare these documents only as public, but does not require their disclosure. Consequently the disclosure of asset declarations of national minority municipality representatives may not be ordered by the local municipality on mandatory basis.

3. Information underlying a decision

FOI as a fundamental right is not absolute, in some cases exemptions or even exclusions from disclosure might be applied. The rules of the restriction can be found in Section 27 of Privacy Act, particularly important are the provisions in connection with the limitation of publicity of information underlying a decision.

The main aim of the protection of information underlying a decision in the decisionmaking process is the fulfilment of public duty free from unauthorized influence.

Information compiled or recorded by a body with public service functions as part of, and in support of, a decision-making process for which the body is vested with powers and competence, might not be made available to the public for ten years from the date it was compiled or recorded. Access to these information may be authorized by the head of the body that controls the information in question upon weighing the public interest in allowing or disallowing access to such information. According to Privacy Act, request for disclosure of information underlying a decision may be rejected, if the data really serve as substantial element of the decision making process, and the disclosure is likely to jeopardize the successful enforcement of the decision e.g. by providing unreasonable advantage for given companies.

After the decision was made, the protection can be maintained if the disclosure is likely to jeopardize the legal functioning of the body with public service functions or the discharging of its duties without any undue influence, or it may also influence future decisions.

If the information in question is part of a collection of data upon which a decision was made, but other parts of it will still be subject of a decision, these elements of the collection of data will not be public after a decision was made on a different part of data. It is not clear however, which data might be connected to a future decision. An information can be the basis of numerous further decisions. Additionally, access to information that has already been subject to a decision, but will likely be used in further decision-making processes, may be restricted. Identification of such data is nevertheless ambiguous, since any information may serve as the basis for numerous further decisions. Such a broad application of the restriction of freedom of information would however be unconstitutional.

After the decision, bodies with public service functions have to consider whether there is public interest in connection with the data inspection which underlies the restriction of publicity. If not, for example the decision has already been made, no further measures have to be taken and the data shall be disclosed. Similar consideration has to be taken in connection with information subject to further decisions: it has to be examined whether there is any decision, which might be unduly affected by with giving out information underlying a previous decision. In the absence of such reasons, FOI cannot be restricted.

In one case the National Election Office (hereinafter: NVI) refused to make accessible a guidance on inspection of signatures collected in connection with a petition for a referendum. NVI referred to as a ground for the refusal that the guidance contains data on information underlying a decision.

In the investigation – based on the data-principle and also on the practice of the Constitutional Court –, NAIH declared that the publicity of information underlying a decision can be restricted but not in a discretional mode. The restriction can be justified only on the basis of strict requirements laid down in the relevant decisions. NVI’s decision was in line neither with the Fundamental Law, nor with Privacy Act and thus it has violated the requesting party’s right to access to data of public interest or data public on grounds of public interest. For one part, NVI did not justify properly what is the ground of the restriction of publicity requested by the party. “Inspection of signatures without any influence” as reason cannot be considered as well-founded. On the other hand, NVI has failed to examine the possible effects of publicity on the affected employees’ work. NAIH’s opinion was further supported by the fact that days after the refusal of the disclosure NVI made the requested document public as a response to “false statements” appeared in the press. Finally, instead of selecting the concrete data set, the whole document was considered as restricted within the meaning of Section 27 (5) of Privacy Act. Therefore NVI has violated the fundamental requirements set out in several decisions of the Constitutional Court.

In another case, after receiving a consultation submission, NAIH examined Section 9 (1) of the Governmental Decree 257/2016 on Municipality ASP^{^[1]} System, which says that „information provided in the data registry contained by the governmental and local governmental decisions is underlying decisions”.

This interpretation, exceedingly qualifying the whole content of the registry as information underlying a decision, would violate both Privacy Act and Fundamental Law. On one hand, the kind of practice based on this interpretation undermines transparency of decisions made by state or governmental bodies regarding their data register. On the other hand, information underlying a decision cannot be qualified as restricted generally in view of the register. An information can also serve as foundation for any future decisions: an abstract relationship with an uncertain decision shall not justify restriction of FOI. This would entirely deprive the basic right to access data of public interest and data public on grounds of public interest.

In another case NAIH started an investigation because the Ministry of National Economy (hereinafter: NGM) refused to provide information on preparatory legislation impact assessments regarding the Családi Otthonteremtési Kedvezmény (family home purchase subsidy scheme, a non-refundable aid by the government for housing families). According to NGM, these documents contain information underlying a decision.

NAIH emphasised that according to relevant legislations, the summary of the preliminary impact assessment in accordance with the draft released for public negotiation should be made public. In case of data with obligation of disclosure, the reference to the quality of information as of underlying a decision is false since the online proactive publicity is ordered by law. This means that this part of the studies – or at least the internet links – should have been sent to the requesting party.

NAIH also found that access to documents shall be distinguished in accordance with the status of the relevant legal act based on the studies. By the creation of the legal acts, the interest of keeping the supporting analyses and studies as secret ceases. Only the disclosure of those parts of the documents might be considered acceptable, which are contrary to the legal acts or which parts of the studies have not been finally used. Summarizing the above, NAIH was on the opinion that the proceeding of NGM was contrary to the fundamental requirements on the restriction of publicity of information underlying a decision.

[1] Application Service Provider: professional management and tax system for municipal governments

4. Rules of reimbursement of costs regarding data requests

In 2016 the 301/2016. (IX. 30.) Governmental Decree on the Costs of Disclosure of Information (hereinafter: Decree) was accepted and came into force on 15 October 2016. The amendment of the Privacy Act (coming into effect on 1 October 2015) provided the opportunity – in some cases – for bodies with public service functions processing the data in question to charge a fee and to communicate this amount to the requesting party in advance. However, the law did neither specify the cost elements nor the amount of the fee. The lack of proper legislation opened the possibility for abuses in resulting a constant challenge for the law enforcement practice. According to NAIH, the Decree would provide proper remedy for these problems.

It should be noted that with regard to the rules of Privacy Act, charging a fee is not obligatory, but left to the discretional competency of the body concerned.

In case of requests submitted prior to the entry into force of the Decree, the costs can be charged in accordance with the principles and rules developed by NAIH.

If the body decides not to exercise this right, it is not possible to determine it subsequently. Similarly, it is forbidden to demand from the requesting party the cost difference between the preliminary calculated/reimbursed costs and the actual costs.

It should be noted that according to Act CXXVII of 2007 on Value Added Tax VAT is irrelevant when it comes to the fulfilment of requests regarding data of public interest. Therefore, bodies with public service functions may not charge VAT in relation with the cost of disclosure.

Based on the Privacy Act, there are three cost elements in the Decree. According to Section 29 (5) point c) of Privacy Act, in determining the fee chargeable the following cost items can be taken into account:

the cost of the data storage device containing the requested information,
the delivery fee of the above data storage device to the requesting party,
if the fulfilment of the request for information requires disproportionate workforce needed for the ordinary operation of the body, the additional labour costs needed.

No other cost elements may be charged, as it would be contrary to Privacy Act.

Regarding the data storage devices, the cost of requesting copy is determined by the number of pages, not by document sheets. Since the minimum number of pages that may be taken into account is 10, therefore short documents containing data of public interest and data public on grounds of public interest cannot be subject to cost reimbursement. Delivery costs are not determined in the Decree, therefore postal service fees should be taken into account.

The amendment of the Privacy Act in 2015 provided the opportunity for bodies performing state or local government responsibilities to charge a fee for additional labour costs. In this regard, a lot of questions have been raised prior to the entry into force of the Decree, for example: what can be considered as additional labour costs, what types of costs can be determined, when can bodies charge a fee for reimbursement in relation to that cost element.

According to the Decree, cost of workforce may cover the time necessary for the identification, collection and arrangement of the requested data, the time for the duplication, and the time necessary for the anonymization of data that may not be accessible by the requesting party. If this period exceeds four working hours, this cost element should be calculated in the following way: the working hours of the correspondent must be multiplied by the actual labour costs per hour of work (according to the Decree, this amount may not exceed 4400 HUF). Other contributions, bonuses, rewards and other benefits, such as fringe benefits cannot be taken into account.

It is important that the extra labour expenses cannot be considered “remuneration” of fulfilling the request for data of public interest, which is not a service but a constitutional obligation of the concerned body. Moreover, providing copies cannot be considered as business activity but a possibility to ask for compensation in connection with raw material costs from the requesting party. Privacy Act allows it only if it requires disproportionate heavy workload compared to basic duties of the given organ. In this meaning, outsourcing of work does not mean disproportionate workforce: cost reimbursement is only available in connection with the copy, not with additional labour costs.

Finally, NAIH emphasises that according to Privacy Act, bodies with public service functions have the obligation to provide information for parties requesting public data on the detailed amount of these costs, including all the reasons and cost elements. This does not mean that these obligations are restricted to provide information on the reimbursement rates of the cost elements. Providing proper information helps the requesting party to understand clearly, why and what kind of costs have to be paid in order to get the required data, and it also helps to decide on what legal remedies to choose.

5. NAIH’s activities related to the prevention of corruption

NAIH has stated many times that FOI plays a key role in the prevention of and fight against corruption. The deterrent effect of publicity can also prevent these situations therefore special attention has always been payed to this topic.

In 2016, NAIH representatives have contributed to several anticorruption initiatives. In this context the educational and informative activities related to commitments within the initiative called Open Governmental Partnership shall be noted, which has given a real opportunity to create a close cooperation between the National Protective Service, the National University of Public Service and NAIH.

NAIH helped to create an e-learning curriculum for the fulfilment of these commitments in the spirit of 1460/2015. (VII. 8.) Governmental Decree. NAIH also became a member of the Integrity Development Committee of the National University of Public Service, which aims to help the development and renewal of education of integrity advisors within university frameworks.

In close cooperation with National Protective Service, NAIH participated in a workshop (22.10. – 12.12.2016) aimed to guarantee transparency in local municipality decision-making processes and also assisting publishing decisions with a help of a methodological guide.

2015

Introduction

Freedom of information (FOI) also had a special significance in 2015, NAIH continued its previously established practice and also faced new challenges. We once again call attention to the appellation “Privacy Act”, as this is the term we use to refer on Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.

The classic caseloads were the obligations related to state/municipally-owned companies’ freedom of information; including the disclosure requirement of the Hungarian National Trading House Plc. and the legal entities established by the National Bank of Hungary.

A number of enquiries were submitted because refusal of data requests in connection with studies ordered by national public bodies, which have been financed by public funds.

Good progress was made concerning the costs of freedom of information requests, as the Ministry of National Economy, Tax Affairs State Secretariat in its resolution stated that since the completion of the freedom of information request constitutes a “public authority activity” on the basis of the VAT law, fees charged because of requests should be considered exceptional.

1. Publicity/online disclosure of the declarations of assets

From time to time, the publicity of the asset declaration of elected officials always gets into focus while investigating the two fundamental rights. In 2015 NAIH had to deal with the publicity of asset declarations in a totally new context, also with the balancing test between the protection of personal data and the FOI. Many municipalities wanted to decree the online publishing of asset declaration of the representatives, the major, the leaders of at least majority municipality-owned companies and all other local public bodies on their websites.

The public bodies subject to disclosure requirement have the possibility to publish on their website or in the central electronic register (www.kozadat.hu) other date of public interest than the standard disclosure list describes in Annex No. 1.

NAIH gave supporting opinions on requests regarding regulations based on Section 37. (3) of the Privacy Act on ad hoc disclosure list, and welcomed the publishing of contracts on their website, that haven’t reached the worth of 5 million Forints described in the standard disclosure list.

However, the commitment to transparency sometimes could be limited by the protection of personal data. NAIH could not contribute to the acceptance of those initiatives where the municipality’s representative body wanted to decree the online disclosure of asset declarations on the basis of ”free” consent of the data subjects against the Privacy Act’s relatively new rules. The Section 26. (2) got a new supplement regulation on purpose limited dissemination of personal data of public interest, so the NAIH would support that the online disclosure of public asset declaration of local representatives shall be regulated by law.

In some cases, the municipalities tend to order in local decree or in FOI statues the disclosure of asset declaration of municipally-owned companies’ leaders, which are not even personal data of public interest upon the law. NAIH warned that except the persons concerned in Act CLII of 2007 on obligation to declare assets, without the authorization of law, municipalities cannot make asset declaration compulsory in local government regulations. According to Section 5 paragraph (1) point b) of the Privacy Act, municipality regulation can order the processing of personal data only by authorization conferred by law. Likewise, the municipality cannot order the disclosure of non-public asset declarations according to the Section 5 part 1.

The asset declaration – except the identity records – of mayors and local government representatives in Hungary are data public on grounds of public interest according to Section 39 (2) of Act CLXXXIX of 2011 on Hungary’s Municipal Governments and Section 26 (2) of the Privacy Act.

The consent as legal basis of publishing non-public assets declaration is solicitous in connection with the right of informational self-determination.

According to Section 5 (1) of the Privacy Act, personal data may be processed when the data subject has given his consent, or when processing is necessary as decreed by law or by a local authority based on authorization conferred by law concerning specific data defined therein for the performance of a task carried out in the public interest. Section 3 point 7 defines the data subject’s consent, which shall mean any freely and expressly given specific and informed indication of the will of the data subject by which he signifies his agreement to personal data relating to him being processed fully or to the extent of specific operations.

To conclude, and in the light of these points, the given consent needs to be volunteer and without any interference. In the context of employment, difficulties could be faced with the voluntary nature of the concerned persons given consent.

Relevant to this case, NAIH has informed the local authorities that the publicity of data related to the public service task of the local representative bodies are welcomed and available for anybody free of charge. The voluntary nature of the consent given by other leaders and employees in bodies and companies created by the local authority for publishing their assets declaration, according to NAIH, cannot be guaranteed in a subordinate relationship.

2. Old-new practices relating to FOI requests and the fulfillment of the disclosure obligation

In connection with the amendment of the Privacy Act in 2015, NAIH tried to give guidelines for both enforcers and legislators to ensure that freedom of information is not restricted unnecessarily.

On the one hand, at the amendment of the Privacy Act, NAIH actively tried to orientate the legislator on how to word the provisions assisting the enforcement of the fundamental right to access to data of public interest. On the other hand, NAIH commented on the implementing regulations for the reimbursement of expenses, furthermore answering the consultation submissions helped to develop a reliable case-law.

2.1. May a body with public service functions request identification for fulfilling FOI requests?

Public information and data public on grounds of public interest can be accessed by anyone in regard of Article VI (2) of the Fundamental Law and Section 26 (1) and 28 (1) of Privacy Act.

According to Section 28 (1) of Privacy Act, data of public interest shall be made available to anyone upon a request presented verbally, in writing or by electronic means. Access to data public on grounds of public interest shall be governed by the provisions of this Act pertaining to data of public interest. According to Section 29 (1a) and (1b)

the body with public service functions that has the data of public interest on record is not obliged to comply with requests for public information whereby the request is identical to that of submitted by the same requesting party within one year and with the same dataset provided that there were no changes in the dataset concerned;
the body with public service functions that has the data of public interest on record is not obliged to comply with requests for public information if the requesting party does not provide his/her name, in case of a legal person its description, and contact details through which the requested dataset or any other information can be provided.

According to the amended Section 28 (2), unless otherwise provided for by law, the processing of personal data of the requesting party in connection with any disclosure upon request is permitted only to the extent necessary for disclosure, for the examination of the request as determined by Section 29 (1a) as well as for the collection of payment of charges needed for the disclosure. Following the deadline as determined by Section 29 (1a) and upon receipt of the said payment, the personal data of the requesting party must be erased without delay. Processing of personal data in this way is limited to 1 year, after this, the aim of the data processing vanishes, additional data storage creates unlawful processing of data.

This legislation follows that when requesting data, identification is not needed, and it is not a legal requirement either. The person requesting data needs to provide the contacting data only.

Referring to the request sent by the KiMitTud (WhoKnowsWhat) website, NAIH recommended that to fulfill the data requests submitted via the data requesting system, the automatic email address at KiMitTud and the name specified during registration is generally sufficient.

The personal data necessary for the fulfillment of the data request and for data processing objectives laid out in Section 29 (1a) of Privacy Act will be treated by the body performing state or local government responsibilities, as the requesting party provides its name and email address, beyond those data, data processing operations such as determining the person’s identity it is not necessary, thus constitutes unlawful data processing [NAIH/2015/4710/2/V].

2.2. Is it objectionable when the party requesting for the same data within 1 year, and the body with public service functions denied the request on the same data before?

The aim of the restriction accepted by NAIH is the following: if one has got to know the data, and there were no changes, to reduce the administrative burden, it is not necessary to fulfill the request. Ignoring the data request, however, remains unacceptable, and the administrative allowance is to be applied only on substantially completed former data request. When multiple data request arrives to a body with public service functions, NAIH recommends publishing the information on the website and providing a link for fulfilling subsequent data requests.

2.3. When does the deadline of fulfilling FOI requests start when the request is sent electronically?

Section 29 (1) of Privacy Act has reified the start of the deadlines of fulfilling data requests.

While the previously existing wording said that the deadline started when the body had become aware of the request, while according to the new provisions, it must comply with requests for public information at the earliest opportunity within not more than fifteen days. The starting date of the deadline is therefore the date when the email arrived to the body with public service functions, regardless of whether it is a business day, a public holiday or a day during the administrative brake. Data requests arrived during the administrative break can be fulfilled within the statutory time limits if – according to the general publication list and rules laid down in Section 37 (1) and Section 30 (6) of Privacy Act – the body provides an email address which is still supervised by a colleague during the break.

2.4. The mandatory regulations to be drawn up

During the investigations, NAIH found that deficiencies and overruns in relation of fulfilling FOI requests can be traced back to the practice of bodies with public service functions, as they did not prepare the manual on information on public interest.

NAIH recommends the following elements in the guide:

The scope of the policy: requesting the data public on grounds of public interest, the employee’s data public on grounds of public interest held by bodies with public service functions.
Appointing the person or department responsible for fulfilling requests on data public on grounds of public interest.
The procedural rules on fulfillment of the data demands: specialized case management system or creating some special rules in relation to the overall case management order; determining the mailing and electronic address, fax number through which they accept demands; answering the verbal demands; decision about whether a submission is to be considered as data request.

Section 35 (1) (2) (3) of Privacy Act state that

The head of the data source subject to electronic publication shall provide for having the data and information specified on the publication lists defined in Section 37 published accurately, up-to-date and on a regular basis, and for having them sent to the data disseminator.
Responsibility for the publication of the data by electronic means, continuous access, and for keeping them authentic and regularly updates lies with the data disseminator.
The data source and the data disseminator shall adopt internal regulations for laying down the detailed rules for discharging the obligations referred to in Subsection (1) and Subsection (2), respectively.

According to the above, special rules need to be laid down on disclosure of the data by electronic means, but these rules can be integrated into the manual about the fulfillment of request for data of public interest.

2014

1. The election procedure in light of freedom of information

Transparency is an utmost precondition of elections and electoral procedures. In the absence of transparency, the election results can be doubted, the common belief of citizens vested in the notion of fair procedure will be ruined which, ultimately, jeopardizes the legitimacy of democratic states. Therefore, the enforcement of freedom of information is of highest importance.

The novelty of the Act XXXVI of 2013 on the Electoral Procedures (hereafter: Ve.) is that point f) of Section 2(1) specifically mentions, among election principles, the notion of transparency. This is an innovation because the former Ve. (Act C of 1997) did not mention it as a basic principle. Section 2(2) of Ve. generally establishes that information at the disposal of electoral bodies shall be, with some exceptions specified by law, public. Section 2(3) states that in the period between the calling of an election and the results of the election becoming final, the provisions of the Privacy Act shall be applied by election bodies with the exception that requests for public information and data public on the grounds of public interest shall be met without delay, within no more than 5 days.

The application of Ve. brought about several practical issues, among others the relation between the provisions of Privacy Act and Ve. concerning transparency, which had to be addressed by NAIH.

A municipal government turned to NAIH enquiring whether or not Ve. 2(3) applies to all requests for public information during the election period. The NAIH, in its response, referred to Ve. 2(2) establishing that information at the disposal of electoral bodies shall be, with the exception of personal data and other information specified by law, public. In light of transparency, according to Ve., the provisions of Privacy Act shall be applied. With respect to request to public information the Privacy Act functions as a general whereas the Ve. applies as a special rule. That’s why Section 2(3) of Ve. is a special rule because the legislation set the short deadline for demanding public information in light of the short election period.

In another case an individual lodged a petition with NAIH alleging that the election committee denied to provide an electronic (scanned) copy of the election minutes. According to Section 204 of Ve. a copy of the minutes may be inspected at the relevant election office for three days following the day of voting. The election committee denied the info request claiming that Ve. contains special rules in this regard. The NAIH, on the contrary, stated that the only special rule is the shorter time period (3 days) and there are no effective provisions in the Act that would limit the enforcement of freedom of information. The NAIH stressed the crucial importance of inspecting the election minutes since these documents contain the final results of elections. Since the election committee didn’t refer to the special circumstances as defined by Privacy Act they denial of information requested had violated the right to freedom of information, therefore, the NAIH called on the electoral body to provide the requested information (NAIH-973/2014/V).

The National Election Office (hereafter: NEO) enquired about the scope of public information, that is to say, whether or not election bodies shall disclose the names of candidate organisations taking over recommendation sheets. The NAIH stated that, pursuant to Section 2 of Ve., the data available to electoral bodies shall be public and electoral bodies shall oversee the legality of recommendations and elections, as a consequence, electoral bodies shall perform such data requests within the time period as defined by Section 2(3) of Ve. (NAIH-781/2014/V.).

We also received a submission concerning the application of provisions regarding pro-active publicity.

A citizen criticized the practice of the Vas County Electoral Committee (VCEC) for the latter failing to send him a resolution electronically initiated by the complainant. The VCEC sent the document solely in postal way and therefore, the applicant alleged, an important deadline for judicial supervision had not been met. In its response the NAIH referred to Section 48 of Ve. saying that the manner of direct communication of resolutions shall be chosen by the applicant and, failing that, in postal way. The decisions, except personal data, shall be disclosed as well though its means is not defined by law and by the National Election Committee (NEC) either. The VCEC informed the Authority that the applicant failed to provide electronic contact details and the resolution had been disclosed on the billboard of the County Hall, too. As a result, the NAIH stipulated there had not been a violation of freedom of information rights though, considering the tight deadlines for legal remedies and the state-of-the-art e-government solutions, it would be advisable for the electoral bodies to disclose their resolutions electronically as well (NAIH-2203/2014/V).

We faced another case where the collision of the publicity of election procedures and the protection of personal data of candidates had to be removed.

A public notary approached the NAIH enquiring whether or not the home address of municipal election candidates may be disclosed. The NAIH referred to point b) of Section 46 of Ve. which says that the resolution on registration of the candidate shall contain the name and home address of the said candidate. Although, in examining the issue, the content of the ballot paper shall also be taken into account. Ve. stipulates that ballot papers shall contain the name of the candidates only. Consequently, the NAIH concluded that the disclosure of home address of independent candidates violated the data protection rights of data subjects (candidates) (NAIH-2666/2014/V).

The NAIH emphasized multiple times that Section 2 of Ve. refers to information processed by electoral bodies only which relate to election procedures. Provisions of Ve. on data processing not related to election procedures shall not apply, in this case the Privacy Act and other regulations have to be taken into consideration.

2. Transparency and the funding of election campaigns

The Hungarian State Treasury (hereafter: MÁK) turned to the NAIH enquiring whether or not names of candidates and nominating organizations subject to the repayment obligation of financial support may be disclosed. In its response the Authority referred to the Section 27(3) of Privacy Act saying that any data that is related to the central budget shall be deemed information of public interest and, as a result, not only the names of candidates (and nominating organizations) but also the exact amount subject to repayment shall be disclosed upon request. The MÁK, however, acts as data controller rather than as an electoral body therefore it shall disclose the requested data within 15 days instead of 5 days, as per the Privacy Act (NAIH-1153/2014/V).

A journalist made an enquiry as to whether the financial support paid to candidates and nominating organizations shall be disclosed. The petitioner claimed that the MÁK had denied providing information referring to Section 30(7) of Privacy Act. The NAIH concluded that information respecting financial support paid to candidates and nominating organizations shall be deemed information of public interest. In its reply the Authority cited the Section 30(5) of Privacy Act saying that if, as regards the refusal of any request for access to data of public interest, the data controller is granted discretionary authority by law, refusal shall be exercised within narrow limits, and the request for access to data of public interest may be refused only if the underlying public interest outweighs the public interest for allowing access to the public information in question (NAIH-1448/2014/V).

3. Transparency as purpose and means; challenges in the transparent operation of state-owned or muni...

The NAIH attaches high importance to the transparent operation of public (state-owned or municipal) companies. In this topic Transparency International Hungary (hereafter: TI) made a research with a view to explore the attitudes of CEOs (chief executive officer) of public companies to the notion of transparency.

As a result of investigations both the NAIH and the TI found that general managers and chief legal officers of public companies were reluctant to acknowledge even the importance of transparency with regard to the operation of public enterprises whereas the CEOs of private companies clearly supported the basic principle of publicity and the prevention of corruption. Consequently, the first and foremost prerequisite in expanding transparency among public companies is that their CEOs should recognize their being subject to freedom of information. This reasoning is confirmed by the Act CVI of 2007 on State Property (hereafter: Ávtv.).

In case of municipal enterprises, we should go back to the provisions of the Fundamental Law (FL). According to Article 38 of FL the Property of the Hungarian State and of municipal governments shall be considered national assets. Article 39(2) of FL states that data relating to public funds or to national assets shall be recognized as data of public interest. Provisions of the FL are supported by the Act CXCVI of 2011 on the National Property (hereafter: Nvtv.). In conformity with the FL Section 7 of Nvtv. stipulates that the National Property is primarily dedicated to ensure the management of public services. According to Section 10(1) of the Nvtv. the Owner shall keep records on the assets of National Property. These records are, with the exceptions of classified data, public. This interpretation has been affirmed by the Resolution 25/2014. (VII. 22.) of the Constitutional Court expanding the notion of public enterprises to indirectly state-owned companies as well. The Constitutional Court confirmed that a subsidiary company under the direct controlling influence of a state-owned or municipal company shall also be subject to the obligation of freedom of information as a company performing public duties.

The NAIH also acknowledged that in certain cases the publicity may jeopardize the effective functioning of public, state-owned companies that’s why, in cooperation with the TI, a balanced approach has been developed to ensure both the enforcement of transparency and business interests.

An additional open question is the setting up of a company website which could be useful for both the company and the public even though the Privacy Act does not prescribe it as an obligation. We think that it would be advisable to establish an own homepage but in case of minor municipal enterprises it is also acceptable if they disclose their public information on the website of the relevant municipality or in the central public information system (www.kozadat.hu).

As for the question whether or not companies managing national properties shall use the same standard publication list as public administration bodies do the NAIH stated already in 2012 that those items of the publication list which do not refer to the activity of the company were not subject to disclosure.

According to Section 37(3) of Privacy Act the Act CXXII of 2009 on the More Economical Operation of State-Owned Companies (hereafter: Kgtv.) shall be deemed as a special publication list. Accordingly, the publicly owned company shall disclose the personal data of executive officers, the members of the supervisory board, executive employees and employees with the right to dispose of the bank accounts of the enterprise and employees with individual power of representation. The CEO of the relevant company shall be liable for the disclosure, the credibility and the continuous access of these information.

Consequently, business interests and secrets shall be limited with a view to ensure the fair financial management, the transparency and the freedom of information rights.

4. Investigation and law review relating to the extension of the Paks Nuclear Power Plant

Last year the NAIH focused on the publicity of information regarding the Paks Nuclear Power Plant (hereafter: PNPP) as well and, accordingly, criticized the adoption of regulations seeking to limit the enforcement of freedom of information.

The NAIH, as a member of the Aarhus Roundtable and in order to foster the transparency, the rights to access to environment information as well as the involvement in decision-making processes, highlighted the following points concerning Draft Bill No. T/2255.

In relation to the publicity of public information over the upgrading of the PNPP the subsequent international and EU regulations shall be taken into account. Principally the Convention on Access to Information, Public Participation in Decision-making and Access to Justice in Environmental Matters (hereafter: the Aarhus Convention) and the Directive 2003/4/EC on Public Access to Environmental Information. Preamble (24) of the Directive and point 6 Article 3 of the Aarhus Agreement both stipulates that these legal instruments shall not affect the right of national legislations to maintain or introduce measures providing for broader access to information, however, the Draft Bill appears to limit these rights.

Section 5(2) of the Draft Bill contradicts both the Privacy Act and the Aarhus Convention therefore, thinks the NAIH, it must be amended on several points.

Pursuant to Article 8(4) of the Council Directive 2009/71/EURATOM, as amended the 8^th July 2014, Member States shall ensure that the general public is given the appropriate opportunities to participate effectively in the decision-making process relating to the licensing of nuclear installations. The NAIH, accordingly, recommended the differentiation of various rules governing the access to information, in conformity with the transposition obligation.

We can conclude that the disclosure of environment information do not fall under the Section 27(5)-(6) of Privacy Act (information underlying a decision) since the preparatory feature is based not only on formal but also on substantial aspects.

In accordance with the practice of the Constitutional Court, documents containing principally drafts or opinions shall be deemed information underlying a decision but environment information do not fall under this term. A recent court decision concluded that an emission metering protocol (quasi advisory opinion) shall not be deemed as a preparatory document underlying a decision but information used to take a decision that’s why it shall be public. In our view, in a pending administrative case such a data request for environment information shall be fulfilled.

The NAIH is of the view that the necessity for limitation of access to public information shall be assessed thoroughly. The respect for investors’ interests cannot overwrite the right to freedom of information and environment information. In the course of such limitations the NAIH suggests that the provisions of the Fundamental Law as well as the EU and international rules shall be taken into consideration (NAIH-2782/2014/J).

5. The limits of freedom of information

We received numerous petitions concerning Section 30(7) of the Privacy Act. This provision deals with the so-called “vexatious data requests” where we can find several problems.

In case of some municipal governments with small staff it may be realistic that they cannot meet enormous data requests from individuals due to lack of sufficient infrastructure and capacity. In such cases the NAIH can accept the practice if the requested party grants access to inspection for the requesting party [Section 30(2) of Privacy Act].

It can be concluded that the more government agencies strive to limit access to public information through publication lists the more and detailed info requests they will face. In light of this, and to foster the uniform application of rules, our Authority published a recommendation interpreting Section 30(7) of Privacy Act.

The NAIH established in various cases that even if the data request affects the inspection of copies of invoices the application of Section 30(7) of Privacy Act shall not be deemed as lawful, what’s more, even in these cases Section 30(5) of Privacy Act shall apply saying that if, as regards the refusal of any request for access to public information, the data controller is granted discretionary authority by law, refusal shall be exercised within narrow limits, and the request for access to public information may be refused only if the underlying public interest outweighs the public interest for allowing access to the public information in question.

Consequently, contracts concluded by a public body do contain public information and therefore, pursuant to Section 26(1) of the Privacy Act, shall be public (NAIH-2604/2014/V).

6. Compliance with data requests – anybody can approach public bodies with information requests

In the past years we investigated several cases where the requested parties demanded additional identification data from the individuals or, in case of non-governmental organisations (NGOs), the registration document was required so as to fulfil the data request.

According to Section 28(1) of the Privacy Act there is no need for the requesting party to submit any document verifying his identity. The only requirement is that the requesting party shall submit his contact details in order for the requested party to fulfil the data request. In conformity with the law anybody may submit a data request without the need of providing grounds or his identity for it.

Section 30(4) of Privacy Act affirms this notion by providing that “a request for public information by a person whose native language is not Hungarian may not be refused for reasons that it was written in his native language or in any other language he understands.”

It may come up that the data request cannot be fulfilled because the requesting party has not provided any contact details. In each case the circumstances shall be examined thoroughly and sometimes the information requested can be disclosed electronically. Information shall be supplied in a readily intelligible form and by way of the technical means asked for by the requesting party.

To sum up, it is irrelevant if the requesting party is a registered organisation or not since the requested party may not verify the identity of the applicant.

7. Investigations concerning municipal governments

The negative trend as to the lack of sufficient personal resources and infrastructure affected adversely the enforcement of freedom of information continued in 2014. We found remarkable disparities in the practices of various local governments; some of them run quite informative websites whereas others are reluctant to disclose the most basic information on their financial background.

The Authority always respects the lack of resources and the enormous work burden of smaller municipalities which could prevent these bodies from complying with their disclosure obligations, however, even under these circumstances they should endeavour to disclose public information and to effectively cooperate with the NAIH. Where several local governments were unwilling to collaborate in enforcing freedom of information rights our Authority prepared a publicly available report and published it on its website.

In this report the NAIH emphasized that it was not mandatory for municipalities set up an own website; the disclosure of public information can also take place on the websites of local governments associations or on the homepage of government offices exercising legal supervision over municipalities (NAIH-4369/2012/V, NAIH-5724/2012/V, NAIH-1921/2013/V, NAIH614/2014/V, NAIH-419/2014/V) etc.

2013

1. Individual requests for access to information

Unjustified high fees for the duplication of documents; justified and unjustified elements determining these fees

Section 29 paragraph 3 of the Privacy Act provides the legal basis for charging fees covering the costs of duplication. Public bodies may charge such a fee, but this fee must not exceed the costs of making the copy. The Privacy Act does not mandate the setting of a fee, but only grants the possibility to do so. Indeed, freedom of information is best helped if public bodies abstain from charging a fee to citizens requesting access to information of public interest or public on grounds of public interest.

Despite the above, the NAIH has observed a trend, especially at local government level, where public bodies charge exaggerated duplication fees to try and hamper freedom of information.

Pursuant to the Privacy Act’s provisions on requests for information, in conjunction with the Data Protection Commissioner’s and then the NAIH’s interpretation, duplication fees can only comprise the costs of materials. Citizens cannot be charged the costs of labour, energy or value added tax (VAT). This means that duplication fees are necessarily below market prices.

The NAIH determined, when asked in a concrete case, that for county seats and cities with county rights, copying a 100-page document does not constitute a significant work load. A 160 HUF per page fee was definitely exaggerated and constituted an obstacle to the exercise of the right to freedom of information. It is not legal to charge other costs than the strict costs of copy materials, and VAT is not of application.

Increased fees due to the scanning of documents

The Privacy Act does not make a difference between paper or electronic disclosure of data of public interest or data public on grounds of public interest. Only energy consumption costs may arise during the scanning of documents, which the Privacy Act’s strict interpretation does not allow to be charged. However, it is possible that smaller public bodies do not possess the adequate material to carry out the digitalisation of documents. In this case, the public body in question may have to give the task to a private undertaking that will do the work for a fee. The Privacy Act allows to take these costs into account when determining duplication fees.

It is important when determining fees for the copy of documents to 40 take the scope of the request into account. With no or only small fees, it is possible for a public body to produce the copy of a small document of a few pages. But in the case of a particularly voluminous or complex request, it may be justified for a public body to charge a fee not only for paper but also for digital copies. Judicial case law states that market prices can serve as a guide to determine the fee. The Central District Court of Pest, in its decision of 9 May 2012 (case 10.P.87.319./2012/4), fixed the scanning fee for public information disclosure at 9 HUF per page in case of voluminous requests for information.

The absence of procedural rules pursuant to requests for information

The non-fulfilment of requests for information is often explained by the absence of procedural rules. It is often unclear, in an organisation, who is responsible for their handling. As a consequence, requests can be rejected simply because the public body in question does not possess the demanded information or document. In the absence of a clearly identified official in charge of access to documents, it is also difficult for a citizen to find out who he must turn to.

This is why the NAIH believes it is necessary to modify internal rules in order to identify who is responsible for freedom of information requests. In the absence of such rules, services and civil servants from a public body must communicate with each other proactively in order to collect and disclose the requested information in accordance with the citizen’s request.

2. Complaints regarding compliance with electronic publication obligations

Like in 2012, many citizens turned to the NAIH in 2013 to complain about the fact that some public bodies failed to comply with their obligations as provided under chapter IV of the Privacy Act on the dissemination of data of public interest by electronic means. Such complaints mostly concern small local governments. Despite the fact that many of them operate websites while they have no legal obligation to do so, due to the absence of persons responsible for their maintenance and update, data published on them is often lacking, out of date, or unreliable. It would be a solution for such small local governments with limited resources to upload their data of public interest onto the www.kozadat.hu central open data portal. This operation does not call for particular technical skills. Yet this solution is often disregarded, sometimes even despite repeated calls by the NAIH to do so.

Websites

The Privacy Act does not mandate municipal governments to operate their own websites. Therefore, they may choose between several solutions in order to fulfil their duties on the dissemination of data of public interest by electronic means. For example, besides choosing, despite having no obligation to do so, to operate their own website, they can upload the data to websites operated by local government associations, to the central open data repository www.kozadat.hu or to the relevant Government Office’s portal (see www.kormanyhivatal.hu). If data is uploaded on common websites, each municipality’s data must be clearly and visibly separated.

The Local Government Regulation Database of the National Legislative Database

Pursuant to Government Regulation 338/2011 on the National Legislative Database, on June 30th local government regulations became freely accessible on-line, 2013. It is the responsibility of the Government Office to transmit local by-laws to the National Legislative Database.

The NAIH welcomed the introduction of this new system which significantly improved freedom of information in Hungary.

3. Transparency of public finances

Generally speaking, the transparency of public finances lies at the core of freedom of information. In its 2013/21 (VII.19.) AB decision, the Constitutional Court declared the transparency of public finances to be a constitutional principal, based on the new Fundamental Law.

The NAIH had to examine several cases where the main difficulty was to determine whether commercial undertakings conducting business linked with national assets were public service providers under the provisions of the Privacy Act on freedom of information.

The Fundamental Law, in conjunction with section 7 of Act CXCVI of 2011 on National Assets, provides that the fundamental purpose of national assets is the provision of public services. The management of national assets must always be conducted in a way that makes the interests of public services, and public interest in general, the main priority.

The Act on National Assets provides that national asset operators must maintain a public register on the purpose for which assets are used, their value and their modifications. Only data that is to be classified under legal provisions are not to be published.

Pursuant to the Act on National Assets, State and local government companies mainly provide public services. This is why they fall under the provisions of the Privacy Act on freedom of information, and must comply with requests for information from citizens. These companies must also comply with the obligations contained in the Privacy Act of dissemination of information of public interest through electronic means.

One of the most significant freedom of information cases involving the transparency of public finances was the access to the documents (notes, reminders) explaining the awards of a national tender on tobacco concessions. The K-Monitor Association of Public Interest turned to the NAIH in case NAIH1169-2/2013/V to ask for an opinion on access to those documents.

Pursuant to Act CXXXIV of 2012 on Reducing Smoking among Minors and on the Retail of Tobacco Products (hereinafter: Tobacco Act), the Civil Code and Act XVI of 1991 on Concessions, anyone can have access to the contents of the notes, and Sections 28 and 30 of the Privacy Act are applicable.

According to the NAIH [NAIH-1700-7/2013/V] and based on decision 21/2013 (VII. 19.) AB of the Constitutional Court, that freedom of information, which is a safeguard for the rule of law, the principles of sincerity of public life contained in the Avowal of National Faith and of good governance can only be a reality if the notes of public calls for tenders and concessions are published, and made available to the public in a public and detailed fashion. A summary on submitted bids, and the full and detailed justification of the award, must be communicated to the public.

The National Tobacco Non-Profit Zrt's website only contained general information on the selection criteria, from which nothing could be learnt on the reasons behind the award or the rejection of individual bids. According to the NAIH, this violates the legislator's wish to encourage transparency. Concrete data on the notes should have been published.

Several court cases were initiated regarding individual bids and the access to the relevant documents. Some decisions have already been reached, but they do not constitute final judgments yet. In its decision nr. 70.P.23.269/2013/7 of 13 November 2013, the Capital Court, referring to the NAIH's opinion, ruled that the Ministry of National Development must disclose the names of the jury's members to the bidder, as well as the documents containing the reasons for the award or rejection of the bid.

4. The collision of the two fundamental rights (personal data protection and freedom of information)

The NAIH has to handle every year many cases where the right to the protection of personal data is in conflict with freedom of information. In such cases, the NAIH has to strike a balance.

The most obvious example of collision is when the Law mandates the disclosure of personal data, on grounds of public interest. For example, there is a law providing for the publication of certain data pertaining to the activity of civil servants. Several requests aimed at the publication of lists of civil servants. However, the NAIH tries to limit these attempts, since they are often in contradiction with informational right principles. Legal obligations to publish targeted personal data relating to the activities of civil servants in the frame of their duties is not to lead to the disclosure of their private lives.

On June 21st, 2013, Section 26 paragraph 2 of the Privacy Act was amended, and now states the following (the new text is in italics):

The name of the person undertaking tasks within the scope of responsibilities and authority of the body undertaking public duties, as well as their scope of responsibilities, scope of work, executive mandate and other personal data relevant to the provision of their responsibilities to which access must be ensured by law qualify as data public on grounds of public interest.

These data may be disseminated in compliance with the principle of purpose limitation. Provisions on the disclosure of data public on the grounds of public interest shall be regulated by Appendix 1 of this Act and the specific laws relating to the status of the person undertaking public duties.

There are still pending interpretation matters.

For instance, it is not clear whether the new provisions quoted above are applicable to personal data made public by Law in cases other than that of civil servants. Several legal norms provide for the disclosure of data on individual entrepreneurs or on the executives of private companies.

Lists of civil servants

The Klebelsberg Institution Maintenance Centre (abbreviated KLIK in Hungarian) asked for the NAIH's opinion on the publication of personal data (regarding names, status, salary or education level, for example) of its 140 000 employees (mostly teachers).

The Privacy Act's intention is to implement safeguards to ensure that the rule of law remains a reality, and to provide for the transparency of public finances. However, one cannot consider the matter of teachers' wages – which are without any doubt unfortunately well below the quantity, quality and importance of their work – from the same angle as that of the KLIK's executives.

Disclosure of civil servants' personal data must comply with the principle of purpose limitation. Asking to access documents and information in order to gain insight on the financial management of a public body is in line with the principle of transparency of public finances, and is legitimate. However, the disclosure of all professional data on 140 000 employees brings the risk that this data could be used to libel, slander or harass them. The disclosed information on an individual teacher's career may also, in certain circumstances, put him at a disadvantage on the labour market. Therefore, it is the NAIH's official opinion that such a sweeping request for information constitutes an abuse of law, as it is an attempt to use a fundamental right for an illegitimate purpose.

Access to information on local government officials

a) Assets declarations

One citizen asked for the assets declarations of a mayor covering the last three years, in order to publish them on an online magazine he operates. The mayor declared that he could only offer individual access to this data.

Act LXV of 1990 on Local Governments makes it an obligation for a mayor to publish an assets declaration at the time of his election, and then on a yearly basis. Based on this law's provisions, this declaration is public, and if it was not published for example on the local government's website, the mayor is obliged to disclose it to anybody requesting it.

b) Access to information on official meetings and negotiations

Another person turned to the NAIH with a request for information concerning the time, place and involved persons in meetings with a mayor.

The NAIH stated that freedom of information only applied in this case if the involved persons were officials. Data involving private persons are personal data, and may only be disclosed under the Privacy Act with the consent of data subjects. However, if the mayor met with other officials, then he must, upon request, disclose the time and place of the meeting as well as 45 the identity of the involved people.

c) Access to information concerning days off taken by a mayor

Another citizen requested data concerning a mayor's days off between November 2012 and January 2013. The mayor answered that this was data related to his private life, and that he had no obligation to disclose it. The NAIH supported this point of view. Indeed, the link between the mayor's holidays and his duties as an official are tenuous. Disclosing the requested information would undermine the mayor's right to privacy in a disproportionate way.

Information stirring public attention

The NAIH received several requests for information by people wanting to know whether or not there had been requests for pornographic websites from clients within the Parliament's IT network. The NAIH stated in this occasion that the notion of information of public interest contained in the Privacy Act is not equivalent to the notion of information that the public opinion is curious about and that furthermore, the requested data, in this case, did not qualify as data of public interest nor as data public on grounds of public interest.

5. Data processing operations by court administrations

The role of freedom of information with regards to judiciary proceedings

The National Office of the Judiciary and its predecessor, the Hungarian Supreme Court have contacted us many times for consultations concerning specific data protection and freedom of information issues in relation with the work of the courts.

The NAIH has to – just as before the data protection ombudsman had to – face the controversial characteristic of disclosure of court procedures. From privacy point of view, it is quite absurd that the audience of a courtroom may enjoy the closest view into the most intimate sphere of a marriage during the hearing of a divorce including the sexual life, health problems, financial matters of the husband and wife. On the other hand, it makes no sense that people get no information about decisions of historical importance or nationwide interested cases. It happens too often that the press gives detailed information on a crime committed just some days or weeks ago but remains absolutely silent when the criminal procedure enters into the judicial phase.

There has been a serious dispute whether the data protection ombudsman or authority has the relevant competence to deal with issues of data processing of the judiciary. A consensus has been reached so far: what is a data processing in the sense of data protection terminology is a procedural action from the perspective of the court. The procedure of the court is being regulated by special codes of conducts and other legal norms in detail. These are thus the primary norms ruling the judicial procedures. These specific provisions are considered as lex specialis compared to the lex generalis ruling of the Privacy Act. However, it does not mean that the court may injure the right to informational self-determination of the data subjects during its own procedure when the primary legal norm on the specific situation fails to rule the concrete procedural or material action.

Publicity supports the effectiveness of the classical principles such as trust in the existing judicial system, faith in the Rule of Law and the control function of the society.

The European Court of Human Rights stated that publicity is one of the main requirements of the right to fair trial, no matter in which case, in which procedure, at which level. It does not only protect the parties of the procedure from „secret ways” and „secret judgments” but also strengthens the public trust in the work of the courts.

The principle of the Rule of Law sets the requirement that „the whole legal system, as well as the parts of it and also the concrete legal norms shall be clear, countable and apparent to the addressees.” (Nr. 9/1992. (I. 30.) Decision of the Constitutional Court)

Real time publicity

As far as social demands concern there has been a gradual development from the „publicity of the moment” to the level of complete and whole publicity on the internet. A „real time communication” such as twitter- (https://twitter.com/USSupremeCourt) and other online forum user journalists keep asking why not to broadcast live reporting from the courtrooms in interesting cases? The OpenCourt project makes a step further: it is an experimental project run by WBUR, Boston’s NPR news station that uses digital technology to make Quincy District Court more accessible to the public. Anyone with an internet connection will be able to see and hear what goes on in court. (http://opencourt.wbur.org/)

The real problem would not particularly be with the nonstop reporting of the press but rather with the leaking information of the audience since the sanctioning of such action is not simple. In a British case: two jurors have both been jailed for two months after being found guilty of contempt of court for misusing the internet during crown court trials. One of them posted a message on Facebook, the other one used Google to research the fraud case he was sitting on at Kingston crown court and dig up extra information about victims, which he was said to have shared with fellow jurors. Both cases were brought to the high court by the attorney general on the grounds that the men's actions interfered with the administration of justice.

According to the interpretation of the Hungarian Constitutional Court the publicity of the court hearing gives guarantee against partial or unfair procedure primarily for the parties of the judicial trial and not for the „outside world”, out of the mentioned personal scope.

The Hungarian Constitutional Court emphasises that court procedure is a tool for making a right effective. To turn to court is not a question of choice in most cases: the person has no other way to enforce his right because either he gets involved in the case out of his will (e.g. becomes plaintiff or accused person) or he sees no other legitimate way to practice his right or to protect his legal interest. In this meaning participation in a court procedure shall man voluntarily resignation of data protection rights.

Generally speaking, publicity of the hearing shall not bring automatically the free and detailed reporting about everything what there happens without the consent of the parties involved. It is true in particular for the personal data as of the name of the accused person in a criminal procedure: the full name shall be always mentioned in the courtroom but it does not give authorisation to the audience to make it public outside the courtroom.

In our opinion it is the official duty of the judge to ask for the prior consent of the data subject whether he is willing to be named in a press communiqué of the court or in a report of a journalist. Without such a consent it is not clear whether the data subject agrees or disagrees to be mentioned.

It is worth to mention that the press has its own responsibility on the media contents produced by the press. Section 4 (3) of Act CIV of 2010 on the Press says that „Exercising the freedom of the press shall not involve or constitute the commission of a crime or abetting the commission of a crime, shall not be contrary to public morality, and shall not violate moral rights or result in personal injury under any circumstances.”

If the future regulation gives green light to microblog reporting, the concrete cases of the exception from publicity shall also be mentioned (e.g. protection of children, of victims etc.). The NAIH’s opinion is that limitation should not exclusively be based upon privacy interests but should also protect the integrity of the procedure or the objective decision-making of the judge.

Media coverage

In the system of judicial communication, the present legal regulation guarantees privileges for members of the press. Due to the classical principle of the independence of the judiciary the judges must not report on their own single cases and decisions in order to avoid any improper influence. But the speaker of the court may give information about the official opinion of the court even on single cases.

It is the privilege of the representative of the media to make audio and visual recordings during the hearing. Since the appearance does not fall within the scope of public appearance the procedural rules order to get the consent of the parties (accused person) as a permission for the recording.

According to the Code of Civil Procedure „with the exception of the public prosecutor audio or visual recording is only permitted upon the clear consent of the parties and other actors of the trial, including the legal representatives, the expert, the witness, interpreter and holder of the object of review.”

According to the provisions of the Code of Criminal Procedure: making audio or visual recordings of the court hearing with the aim to inform the public is only allowed with the permission of the presiding judge. Recording of any person present at the court hearing – with the exception of the judges, the clerk of the court, the public prosecutor and the legal representative - is only allowed with the consent of the data subject.

The ruling is clear: making audio or visual recording of the parties at a court procedure is only lawful if they have given their consent to it. However, the procedural rules give no clear direction on the publicity of the names of the parties. Thus, we shall apply the Data Protection Act and follow the relevant Constitutional Court decisions respecting the right to informational self-determination.

There is a special situation when either persons performing public duties or bodies with public service functions are involved. In these cases, the future regulation shall interpret the limitation of publicity in the narrow sense.

In the case of other public figures all circumstances of the situation shall be taken into consideration. In particular how this person became a public figure (for example in the case of an actor or an artist), what is the subject of the ongoing trial and so on. The right to informational self-determination shall be highly respected when the private sphere of the public figure is involved (for example a divorce case). The media shall ask for his consent when reporting about his private affairs.

On the other hand, when the trial is in connection with his public duty (for example in fraud or corruption scandals) the right to informational self-determination of a person performing public duty might be limited with certain data protection guarantees. The limitation shall be necessary and proportionate for the sake of exercising justified general control of the public sphere.

In accordance with Section 26 (2) of the Hungarian Privacy Act the name and rank as well as other personal data of the person in connection with his tasks within the scope of responsibilities of the given public body – including his picture and voice, as well as his statements - might be disseminated. In relation with his other personal or sensitive data such as place and date of birth, health status etc. the limitation of his privacy right would not be justified.

It is worth to mention that in relation to other persons involved in the court procedure beside the person with public functions the data protection rights shall be fully respected (for example the active briber who is giving the bribery money to the politician). It means that their personal data can only be made public upon their consent.

The disclosure of decisions and anonymisation

Different legal systems offer various legal solutions to fulfil publicity demands. In some countries the judgments are available – sometimes for a fee - in collections. In other countries – like in Hungary – everyone may have access to them on the Internet for free.

To simply copy one country’s model would be too dangerous because it is influenced by many cultural elements including the freedom of information regime and the importance of privacy protection in the given country.

Those legal systems which highly respect freedom of information the guarantee to have free access to judgments either online and also on paper should be incorporated in an Act. The text of the disclosed resolutions should be indexed to guarantee easy search. The Hungarian collection, which is also available online cope with these challenges.

The function of the publication of judgments has little to do with the original case and its parties. The dissemination neither serves the interest of the original case, nor is the aim to create a „wall of shame” but the main function is to share information on the judicial practice in general.

Court resolutions may contain information which is not meant for the society of the internet users, even though this information might be part of the publicly declared resolution. That is why the text of the resolutions shall be carefully selected but special attention should be paid not to shorten the useful information of the content. The key to the problem of this certain conflict of interests is the anonymisation of the resolutions so that the information loses its direct connection to the given data subject. Anonymisation does not mean a pure deletion of the names and addresses but it means a careful selection of the text to prevent unlawful dissemination of personal data. The parties of the court procedure should be identified through naming their position e.g. the plaintiff, the witness etc. According to the law there is no need to delete the name and rank of a person acting on behalf of an organ performing public duties, the name of the legal representative, the name of the NGO or foundation, the name of its representative and all the information which is made public on grounds of public interest. There is no need to delete the name of the respondent party if he loses the suit in case the law guarantees the recourse of „actio popularis”.

If the court session was partly or completely closed and the interest based upon the closure cannot be otherwise guaranteed the resolution or part of the resolution shall be deleted from the collection. Classified data should also be protected but no other editorial revision should be carried out on the resolution. (780/K/2007)

2012

1. Companies owned fully or partly by the state or local governments as organs performing public dut...

A cornerstone of creating the publicity has always been the task of defining the circle of organs performing public duties. Classification of persons and institutions created and, as far as powers and competences are concerned, specified by the law was always clear. Although there are institutions the categorization of which is predominantly questionable; these include typically companies established, directly or indirectly, by public funds.

The interpretation of the notion of “other body performing public duties” anchored in Section 26(1) of the Act CXII of 2011 on Informational Self-determination and Freedom of Information (hereafter: Infotv.) posed remarkable difficulties also in the practice of the former Commissioner. Pursuant to Section 100/K (6) of the Act XXXVIII. of 1992 on Fiscal Administration (hereafter: earlier Áht.), effective as of 1st January 2010, companies under the majority influence of the state, a local government, a budgetary agency or a public endowment qualified, according to the law on public access to documents of public interest, as organ performing public duties whereas the person acting on its behalf qualified as a person performing public duties. The 14th August 2010 was this provision however repealed.

In the event of state-owned companies, the sections 5(1) and 5(2) of the Act CVI of 2007 on State Property clarified the situation as follows.

All data that relates to management and disposition of State property, other than public information, shall be treated as information of public interest. Access to these data may be restricted by specific other legislation.
A body or person that is vested with powers to manage or control State property shall be treated as a person or body exercising public functions pursuant to the act on access to information of public interest.

Pursuant to Article 38 of the Fundamental Law of Hungary the properties of the State and local governments shall be national assets. National asset includes, among others, properties owned by the state or local governments, financial assets, valuable rights and interests, company shares. State and locally owned companies, as set out by law, manage public property independently and shall be liable for legality, expediency and success.

This Article of the Fundamental Law set the requirement of transparency over the appropriation of public funds on constitutional level.

Provisions of the Fundamental Law and the transparency of public funds are supported by the Act CXCVI of 2011 (Nvtv.) on National Assets.

Consequently the “defensive position” of state- and locally owned companies has become irrelevant stating that they do not qualify as agencies performing public duties since they are not in possession of powers set out by law. (NAIH-4203/2012/V)

The Act on National Assets and the new provisions of the Fundamental Law a meant a turning point in the long-lasting case of Balaton Shipping Company Ltd.

Since the Balaton Shipping Company Ltd. is owned at 100% by local municipalities around the Lake Balaton, therefore it shall be deemed to be a „quasi” state-owned company, as a consequence any data referring to its assets shall be regarded as data of public interest and shall be disclosed. There are some exceptions, however, where the above requirements do not apply and where publicity may be restricted or excluded. These cases include e.g. business secrets, classified data, documents composed in the course of a decision-making process as well as documents that are subject to intellectual property rights. (NAIH-2607/2012/V)

A local representative, wishing to get access to the copies of agency and business contracts concluded after 1st January 2011, turned to our Authority questioning whether the Erzsébetváros Media Nonprofit Co. might deny the request for data of public interest. In its response the Authority claimed that all data concerning the company’s assets qualify as data of public interest since the Co. is 100% owned by the local government.

Numerous submissions were received regarding the disclosure of data of companies owned, directly or indirectly, by the Debrecen Municipality. In these cases, the data requested by individuals in connection with companies, directly or indirectly owned or directed by the local government, qualified as data of public interest therefore they were subject to disclosure and our Authority passed its decisions accordingly, in favour of the requesting party.

2. Business secrets and publicity – The case of the 4th mobile telecom service provider

At the end of August 2012, respecting the case of the 4th telecom mobile service provider, our Authority issued a recommendation on the disclosure and publicity of companies’ business data which companies are in possession of national assets or are managing thereof. This recommendation is available on our website in Hungarian.

3. Information in support of a decision-making process as an automatic obstacle to disclosure

Public agencies performing public duties are inclined to extend the sections 27(5)-(6) of Infotv to any pre-decision processes. In several cases we found that these authorities had denied the whole disclosure without reasonable grounds.

The Századvég case

The Ministry of National Development turned to the Authority inquiring whether analyses and studies created by business contracts concluded with the Századvég Foundation, Századvég Economic Research Plc. as well as Strategopolis Strategic Analytics and Communication Consulting Co Ltd. can be subject to disclosure. According to the Ministry these papers were governmental preparatory documents. Our Authority found that the documents in question had been prepared from public funds and to public authorities that’s why they qualify as being data of public interest and data public on grounds of public interest (except personal data possibly contained therein).

The Authority emphasized that the restriction of disclosure over preparatory documents in a decision-making process must not lead to the exclusion of transparency. (NAIH-4442/2012/V) The case ended up with a judicial procedure where the court ruled in favour of disclosure of the documents in question at first instance.

4. Data public on grounds of public interest

The scope of data public on grounds of public interest has always been a crucial issue regarding disclosure. The new Infotv. defines the difference between the privacy and public more precisely since, in Section 26(2), it specifies the data that qualify as data public on grounds of public interest.

Pursuant to Art. VI. (2) of the Fundamental Law every person shall have the right to the protection of his or her personal data, and to access and disseminate data of public interest. It shall, however, be underlined that the personal nature of these data remains sound hence the most remarkable safeguard of data protection, the principle of purpose limitation, shall be kept.

The objective of this kind of data processing is to enable the control over the functioning of the executive branch and to ensure transparency of using public funds. Consequently, these data may not be used unlawfully, e.g. for the purpose of personal intrusion which is not in line with his/her public duties. Those disclosures that are intended to insult others obviously contradict the protection of privacy, which can be described as “taking the law into one’s own hands” in the information law, is illegal.

The wide scope of disclosure of data public on grounds of public interest may not lead to the exposure of privacy which is not in conformity with public duties. We have learned that several actors wish to acquire personal data under the auspices of access to data of public interest.

Section 179 of Act CXCIX of 2011 on Civil Servants (hereafter: Kttv.) defines the data public on grounds of public interest concerning civil servants: name, citizenship, name of the employer, the commencement of civil service relationship, the current type and the date of categorization, the scope of duties of the civil servant, the date of appointment to, and dismissal from, an executive position, information on granting of a title as well as the remuneration of the civil servant.

Besides the above, other personal data in connection with his/her public duties may qualify as data public on grounds of public interest – information on education and detailed functions of the civil servant – in accordance with Section 26(2) of Infotv.

Transparency and control – as public interests – are of utmost importance. Although the freedom of information shall be in line with informational self-determination, i.e. it shall be ensured the privacy will not be endangered. Allowances paid to executive officials regularly or on a case-by-case basis, either in kind or in cash, e.g. ransoms, rewards, substitution allowances etc. qualify as personal data occurred in relation to public duties, i.e., are subject to disclosure upon request.

Allowances and benefits, however, that are disbursed relating to solely private circumstances may be subject to disclosure by his/her name only upon the consent of the civil servant therefore, without his/her consent, the disclosure may take place exclusively in an aggregated form – as data of public interest in connection with the financial management. (NAIH-6351/2012/V)

The case of the PM delegation

An MP of the Hungarian Parliament had lodged a petition to the National Authority for Data Protection and Freedom of Information. The MP wished to find out whether the Prime Minister’s Office (hereinafter referred to as PMO) acted lawfully as it disclosed the data of members of a PM delegation (to visit Saudi Arabia last year) only who have been undertaking public duties or who authorized the PMO to do so.

Consequently, the name of PM delegation members who have been undertaking public duties within the scope of responsibilities of the organization qualify as data public on grounds of public interest and that’s why these data shall be disclosed duly upon request in accordance with the prevailing regulations.

According to the relating practice of the Constitutional Court the right of information and communication can be derived from the freedom of expression as constitutional right. This right is essential to safeguard the transparency of different branches of power and to enable the citizens to gain control over the activity of state organs.

This principle is supported by the European Data Protection Supervisor (EDPS) as well who asserted that an optimal balance is to be achieved between the protection of personal data and the citizens’ rights to gain access to Community documents.

Personal data of businessmen and the name of companies that were involved in the PM delegation qualify as data public on grounds of public interest as they attended the journey as members of a state delegation rather than private persons. Disclosure of the above data should contribute to the transparency of state activities.

To sum up the above the NAIH takes the position that both the names of attending companies as well as those of the businessmen involved in the delegation shall be made public upon request. (NAIH-4017/2012/V)

Our Authority has repeatedly to strike the balance between informational self-determination and freedom of information.

“Since Section 26(3) excludes personal data from among the scope of data public on grounds of public interest the employee allowances – broken down by names – are out of that scope. Data on employees may be disclosed only in an aggregated.” (NAIH-6383/2012/V)

5. Performing requests to disclose data of public interest

Our Authority concluded that the disclosure of the above requests beyond the time limit determined by law happened due to the deficiency of internal rules governing these requests. In numerous cases internal regulations merely took over the wording of Infotv. without specifying the proper process thereof. The Authority called up the actors to modify their rules accordingly.

Detailed provisions of performing requests have been improved by the legislator in the new act thus enabling organizations with minor human and financial resources to have more time for disclosure.

Organizations performing public duties have been turning to our Authority continuously, as was the case in the era of the former Data Protection Commissioner, requiring the official position of the NAIH. They argued the overwhelming data requests had been making their daily operation impossible. In these cases, we inform the data controllers that the requests shall be fulfilled only in respect to data that are processed exclusively by them, they are not obliged to create new datasets (NAIH-4205/2012/V). Questions affecting the aims, purposes, opinions or seeking replies to open questions and which are not directed to discover factual information cannot be responded to in all cases.

As the Act LXIII of 2012 on public sector information reuse entered into force the 1st of January 2013 as well as taking into account that the decrees governing detailed rules have not been adopted yet 32 the Authority stressed the opportunity of requests to data of public interest encompassing the creation of new data. (NAIH-4927/2012/V)

Pursuant to Directive 2003/98/EC (hereafter: PSI Directive) organizations performing public duties are not obliged to create new data exclusively for the purpose of fulfilling requests on data of public interest. If the data is not in possession of the controller, then it may not be obliged to supply the information. If the disclosure would demand a higher workload or would imply greater expenses in comparison to average sources the state organ is not obliged by law to perform the request (however it may assume to fulfil the request for fee as a service). Otherwise, the state organ is expected to fulfil the required data processing. Hence the controller should endeavour to render the information in an intelligible manner. (NAIH-4205/2012/V)

According to the law information shall be supplied by way of the technical means asked for by the requesting party, provided that the body with public service functions processing the information is capable to meet such request without unreasonable hardship. In these cases, a compromise shall be made between the requesting and the requested party. In view of the Authority a scanning fee may not be required. (NAIH-4973/2012/V, NAIH-5811/2012/V)

As the body with public service functions shall anonymise the personal data before disclosing the data of public interest the occurring costs of anonymisation shall be borne by the requesting party, however, the notion of costs shall be interpreted narrowly, at requests for minor information it shall be omitted.

In accordance with the positions of the former Commissioner and the Authority the remuneration of the official in charge, the energy used and the costs of depreciation may not be charged on the requesting party. Consequently, the costs may not pose an obstacle against the exercise of access to public information as a fundamental right.

6. Obligation of dissemination of data of public interest by electronic

According to our findings lots of public bodies still failed to comply with the obligation of dissemination despite multiple notices from the Authority. It would be desirable to expand the powers of the Authority in this regard.

Generally local authorities fail to comply with the obligation o dissemination. They kept on referring to personal and financial shortages that prevented them from disclosure and explained that it seriously jeopardized the fulfilment of basic public duties if they would comply with this obligation. In these cases, the Authority called up the municipalities that the required data may be disclosed in the central system of public information where no special skills are needed.

7. Third party intervention

1. Upon citizen’s initiative our Authority launched an investigation because a petitioner had lodged an application with the Eötvös Loránd University requiring public information on financial management of the university. His petition had been denied. The Authority concluded that the student’s self-government was actively taking part in decision-making procedures as far as financial issues and strategic procedures were concerned. Therefore, the student self-government qualified as being a body performing public duties whereas its officials as persons as officials performing public functions. (see: case No. 1642/K/2008-3 of the former Commissioner).

The petitioner filed an action against the University for failing to disclose the required information where the Authority intervened in favour of the petitioner (Pest Central District Court 29.P.85.166/2013.). The case is still pending and a final judgement is expected to be delivered in 2013.

2. The Authority intervened in favour of the Hungarian Civil Liberties Union (hereafter: TASZ) in the litigation against the Gyöngyöspata Municipality Mayor’s Office. The TASZ required data of public interest electronically.

Gyöngyöspata Municipality Mayor’s Office rejected the request stating that the electronic way of communication is excluded in administrative procedures. During the judicial procedure before the Eger City Court (No.19.P.20.194/2012.) the defendant fulfilled the request.